Splunk Enterprise

Field alias/calculated field

VijaySrrie
Builder

Hi,

LOOKUP-asset_lookup = server_summary host OUTPUTNEW   serveros AS asset_os

I have a lookup where serveros is one of the field

asset_os is one of the enriched field from serveros

Now, I need one more field called os (for datamodelling) which is same as asset_os

I tried below but its not working out ( I need both asset_os and os field)

1) I tried asset_os as os in field alias --> didnt work

2) I created a calculated field, 
case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields

3) I added the below line into props.conf - Also here asset_os is not showing in fields

LOOKUP-asset_lookup1 = server_summary host OUTPUTNEW   serveros AS os 

Is there any other way I can get both asset_os and os field in the fields?

We cannot go for field extraction as the required field value is not available in logs, the value is taken from lookup table.

Labels (1)
0 Karma

VijaySrrie
Builder

@venkatasri 

lookup table field name -  serveros 

Field available in log - No fields available

asset_os field is the enriched field from lookup table (serveros)

I am in need of field called os (os field used for data modelling) 

os field can be enriched from the lookup table field - serveros, but when I do like that asset_os field is not showing.

I need a way to create a field called os which can be enriched from the lookup table field serveros,  without disturbing the already existing field asset_os

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  I am not quite understood yet.

Lookup table name - serveros ?

Field names in csv - asset_os, serveros

you want output - serveros AS os? along with asset_os ?

To enrich from CSV you should have some matching field in your event- you said 'No fields' meaning you just want to query the CSV and get the results using | inputlookup ? 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  Try this search UI from where you have access to lookup file. Do a inputlookup first to verify before.

| lookup server_summary host OUTPUTNEW serveros as os, asset_os

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

Can you describe little more easy, what fields you have in lookup table, and what fields in events and which one is a match to lookup field.

what your output would be?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...