Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field alias/calculated field

VijaySrrie
Builder
‎07-27-2021 12:03 AM

Hi,

LOOKUP-asset_lookup = server_summary host OUTPUTNEW   serveros AS asset_os

I have a lookup where serveros is one of the field

asset_os is one of the enriched field from serveros

Now, I need one more field called os (for datamodelling) which is same as asset_os

I tried below but its not working out ( I need both asset_os and os field)

1) I tried asset_os as os in field alias --> didnt work

2) I created a calculated field, 
case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields

3) I added the below line into props.conf - Also here asset_os is not showing in fields

LOOKUP-asset_lookup1 = server_summary host OUTPUTNEW   serveros AS os 

Is there any other way I can get both asset_os and os field in the fields?

We cannot go for field extraction as the required field value is not available in logs, the value is taken from lookup table.

Labels (1)
Labels
0 Karma
Reply

VijaySrrie
Builder
‎07-27-2021 08:26 PM

@venkatasri 

lookup table field name -  serveros 

Field available in log - No fields available

asset_os field is the enriched field from lookup table (serveros)

I am in need of field called os (os field used for data modelling) 

os field can be enriched from the lookup table field - serveros, but when I do like that asset_os field is not showing.

I need a way to create a field called os which can be enriched from the lookup table field serveros,  without disturbing the already existing field asset_os

 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-27-2021 08:36 PM

@VijaySrrie  I am not quite understood yet.

Lookup table name - serveros ?

Field names in csv - asset_os, serveros

you want output - serveros AS os? along with asset_os ?

To enrich from CSV you should have some matching field in your event- you said 'No fields' meaning you just want to query the CSV and get the results using | inputlookup ? 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-27-2021 08:52 PM

@VijaySrrie  Try this search UI from where you have access to lookup file. Do a inputlookup first to verify before.

| lookup server_summary host OUTPUTNEW serveros as os, asset_os

 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-27-2021 12:22 AM

Hi @VijaySrrie 

Can you describe little more easy, what fields you have in lookup table, and what fields in events and which one is a match to lookup field.

what your output would be?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...