Splunk Search

Lookup on Calculated field

ChhayaV
Communicator

Hi,
Is it possible to do lookup using a calculated field if yes then what is the procedure?
i tried doing it but not working for me may be i am missing something.

Thanks and Regards

Tags (2)
0 Karma
1 Solution

MHibbin
Influencer

Hi there,

I'm going to assume your calculated field is using stats or eval? - For a better answer, tailored to your issue, it is always best to show the search being used (even if some values are omitted for security reasons).

After you have your "calculated" fields, you may want to rename the fields to a simple format, e.g.

.. | rename count(somefield) AS countSomeField
OR
.. | rename "Some Crazily Formatted_Field(!&$(" AS someField

I have had some issues with fields not looking up properly, but worked once I changed the name being used. As I said to help us help you, please paste in your search and the header row of the CSV file please.

You can also check that Splunk has accepted your lookup configuration by running the following search (replacing the tag as to your needs):

| inputlookup <yourLookupName>

NOTE: The "|" (pipe) should be the first character typed as this is a special search command.

UPDATE: Based on your example...

So to clarify, your CSV has the following header:

pages,modulename

And you wish to link the pages field from your lookup to the extracted module field from your search (as you detailed it as Linkingfield) ? If so try the following:

host="hostname" 
| rex field=msg  "(GET:w+://[^)]+/(?<module>[^)]+.(xap|aspx))"
| lookup <yourLookupFile> page AS module OUTPUT modulename
| table _time host module modulename

You should check out the documentation also... http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

Hope this helps,

View solution in original post

linu1988
Champion

Yes Chayya, it's possible. But you need to mention a common field data for both the lookup table and output data from query.

Further you need to mention the lookup definition as |inputlookup will not work in the middle of the query. You will definitely get the output if the data matches the lookup table data, your case will workout very well.

MHibbin
Influencer

That's cool.

0 Karma

linu1988
Champion

Agreed, edited my comment

MHibbin
Influencer

That's not entirely true, you can reference fields when doing the lookup, e.g. someField AS someOtherField.

0 Karma

MHibbin
Influencer

Hi there,

I'm going to assume your calculated field is using stats or eval? - For a better answer, tailored to your issue, it is always best to show the search being used (even if some values are omitted for security reasons).

After you have your "calculated" fields, you may want to rename the fields to a simple format, e.g.

.. | rename count(somefield) AS countSomeField
OR
.. | rename "Some Crazily Formatted_Field(!&$(" AS someField

I have had some issues with fields not looking up properly, but worked once I changed the name being used. As I said to help us help you, please paste in your search and the header row of the CSV file please.

You can also check that Splunk has accepted your lookup configuration by running the following search (replacing the tag as to your needs):

| inputlookup <yourLookupName>

NOTE: The "|" (pipe) should be the first character typed as this is a special search command.

UPDATE: Based on your example...

So to clarify, your CSV has the following header:

pages,modulename

And you wish to link the pages field from your lookup to the extracted module field from your search (as you detailed it as Linkingfield) ? If so try the following:

host="hostname" 
| rex field=msg  "(GET:w+://[^)]+/(?<module>[^)]+.(xap|aspx))"
| lookup <yourLookupFile> page AS module OUTPUT modulename
| table _time host module modulename

You should check out the documentation also... http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

Hope this helps,

ChhayaV
Communicator

Hi,
I want to restrict my regex to first match how can i do that?

0 Karma

ChhayaV
Communicator

search
host="hostname" | rex field=msg "(GET:\w+://[^)]+/(?[^)]+.(xap|aspx))"

i want to do lookup on module field extracted in rex

fields in lookup file are
pages(linkingfield) and modulename

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...