Solved: Purpose of the "AS" statement in SPLUNK

mahbs · ‎11-16-2017

Hi,

What is the purpose of the AS statement in splunk?

I thought, when used, it creates an alias of a column/field as it does in SQL, however, I've found that when used in a lookup statement, it acts as a sort of comparison, for instance in the following query:

index=web_proxy | lookup full_user_names.csv username AS local_user OUTPUTNEW first_name, last_name

i thought username field would be renamed as"Local_user" because of the AS statement, however, I've been told that the statement in this scenario checks to see if a value in local_user matches a value in username.

Can someone explain to me what the function of this statement is?

Thanks

HiroshiSatoh · ‎11-16-2017

It just specifies a field that matches the lookup table.

<lookup-field> [AS <event-field>]

EX.
index=web_proxy|rename local_user as username
| lookup full_user_names.csv username OUTPUTNEW first_name, last_name

EX.
index=web_proxy
| lookup full_user_names.csv username as local_user OUTPUTNEW first_name, last_name,username
|table local_user ,username,first_name, last_name

View solution in original post

HiroshiSatoh · ‎11-16-2017

It just specifies a field that matches the lookup table.

<lookup-field> [AS <event-field>]

EX.
index=web_proxy|rename local_user as username
| lookup full_user_names.csv username OUTPUTNEW first_name, last_name

EX.
index=web_proxy
| lookup full_user_names.csv username as local_user OUTPUTNEW first_name, last_name,username
|table local_user ,username,first_name, last_name

Purpose of the "AS" statement in SPLUNK

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!