Hi,
What is the purpose of the AS statement in splunk?
I thought, when used, it creates an alias of a column/field as it does in SQL, however, I've found that when used in a lookup statement, it acts as a sort of comparison, for instance in the following query:
index=web_proxy | lookup full_user_names.csv username AS local_user OUTPUTNEW first_name, last_name
i thought username field would be renamed as"Local_user" because of the AS statement, however, I've been told that the statement in this scenario checks to see if a value in local_user matches a value in username.
Can someone explain to me what the function of this statement is?
Thanks
It just specifies a field that matches the lookup table.
<lookup-field> [AS <event-field>]
EX.
index=web_proxy|rename local_user as username
| lookup full_user_names.csv username OUTPUTNEW first_name, last_name
EX.
index=web_proxy
| lookup full_user_names.csv username as local_user OUTPUTNEW first_name, last_name,username
|table local_user ,username,first_name, last_name
It just specifies a field that matches the lookup table.
<lookup-field> [AS <event-field>]
EX.
index=web_proxy|rename local_user as username
| lookup full_user_names.csv username OUTPUTNEW first_name, last_name
EX.
index=web_proxy
| lookup full_user_names.csv username as local_user OUTPUTNEW first_name, last_name,username
|table local_user ,username,first_name, last_name