Getting Data In

csv lookup on aliased field

EricPartington
Communicator

I am trying to setup a csv lookup for data enrichment on an Aliased field. original field name dstport aliased to dest_port (common info model name)

what field will work for the data lookup?

lookup_table = ProtocolLookup dstport OUTPUT app

or

lookup_table = ProtocolLookup dest_port OUTPUT app

with the CSV column name reflecting either dest_port or dstport

0 Karma
1 Solution

Lowell
Super Champion

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app

View solution in original post

0 Karma

Lowell
Super Champion

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app
0 Karma

EricPartington
Communicator

thanks, original port works fine as the base for this CSV enrichment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...