Splunk Search

eval an existing field which is used for a lookup...

ndcl
Path Finder

Hi Base,
when I do an eval on an existing field which is also used for a lookup than the lookup ignores the eval result and use the origin instead.
f.e. I have IP addresses from 2 fields fieldIpA and fieldIpB and I combine them

| eval fieldIpA=coalesce(fieldIpA,fieldIpB)

If I do a “stats list(fieldIpA)” I will get a list with the results from both. If I do a lookup to resolve the IP to something else:

| lookup IPDes Description as rIPs

Then the lookup only return the results from fieldIpA.
If I add to the probs.conf declaration:

LOOKUP-< rIP> = fieldIpA AS tIP OUTPUT Description as rIPs

and do the eval with the tIP field than I get empty results and no lookup.
How it is possible to get the lookup to work?

Thanks!

0 Karma
1 Solution

ndcl
Path Finder

2 lookups doing the job. Declare a lookup for both fields in prop.conf:

LOOKUP-< rIPA> = aLOIP AS fieldIpA OUTPUT Description as ArIPs
LOOKUP-< rIPB> = bLOIP AS fieldIpB OUTPUT Description as BrIPs

Point the lookups to the same file in transforms.conf:

[aLOIP]
filename = ip_Des.csv
[bLOIP]
filename = ip_Des.csv

Now the Search look like this:

... | lookup aLOIP Description as ArIPs | lookup bLOIP Description as BrIPs | eval NewrIPs=coalesce(ArIPs,BrIPs) | stats list(NewrIPs)

If you want you can skip the Description part in the lookup.

View solution in original post

0 Karma

ndcl
Path Finder

2 lookups doing the job. Declare a lookup for both fields in prop.conf:

LOOKUP-< rIPA> = aLOIP AS fieldIpA OUTPUT Description as ArIPs
LOOKUP-< rIPB> = bLOIP AS fieldIpB OUTPUT Description as BrIPs

Point the lookups to the same file in transforms.conf:

[aLOIP]
filename = ip_Des.csv
[bLOIP]
filename = ip_Des.csv

Now the Search look like this:

... | lookup aLOIP Description as ArIPs | lookup bLOIP Description as BrIPs | eval NewrIPs=coalesce(ArIPs,BrIPs) | stats list(NewrIPs)

If you want you can skip the Description part in the lookup.

0 Karma

ndcl
Path Finder

the problem ask here was the lookup, not the coalesce and in my case it match exact to the definition.

Thanks

0 Karma

linu1988
Champion

Are you sure its right? It may work for now, but you will not get "BrIPs" ever if the "ArIPs" value is not NULL. Please follow the definition of coalesce carefully. Thanks.

0 Karma

ndcl
Path Finder

It seems that I was not exact enough. Of cause I get the values of fieldIpA that´s my intension, but if I use it in that way as you suggested:

“| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)”

than I´m back at the starting point of the problem. The values of fieldIpA are from before the processing via eval and the lookup comes after the eval. I think that the lookup will be built before search time and the eval will cast the field to a new variable that lookup do not “see”. I should better create 2 lookups and combine the result fields

Thanks

0 Karma

linu1988
Champion

Yes it will always return the value of fieldIpA if its not Null at any place. That's the job of coalesce function. if you want both of them then you have to do the below query.

table fieldIpA,fieldIpB| lookup LtDes fieldIpA |lookup LtDes fieldIpB as fieldIpA|stats list(fieldIpA,fieldIpB).

Lets hope it gives you the result.

0 Karma

ndcl
Path Finder

Ok my fault: I miised the IPDes but it was there so:

LOOKUP-< rIP> = IPDes fieldIpA OUTPUT Description as rIPs

ist the correct line. The search:

| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)

worked but with the same result than before: Only values from fieldIpA

0 Karma

linu1988
Champion

it should be

prop.conf I declare IPDes:
LOOKUP-< rIP> = LtDes fieldIpA OUTPUTNEW rIPs

| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)

please give correct column name in lookup table.
Have fieldIpA,rIPs as lookup fields, that should do the job for you.

0 Karma

ndcl
Path Finder

the origin search looks similar to this:

...| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup IPDes Description as rIPs | stats list(fieldIpA)

In prop.conf I declare IPDes:
LOOKUP-< rIP> = fieldIpA OUTPUT Description as rIPs

the lookup filed have the same name than the field.

and transforms.conf:
[LtDes]
filename = ip_Des.csv

If I use this syntax: "lookup fieldIpA as fieldIpA" throws an error: not such a lookup. right after the lookup the lookup name is needed.

0 Karma

linu1988
Champion

Could you share the search query? after the eval fieldIpA=coalesce(fieldIpA,fieldIpB)|lookup fieldIpA as Lookuptable_field should give you the result.

0 Karma

linu1988
Champion

Are you doing the eval to same field and assigning to itself? Assign it to some other variable if you are using for other purposes. Try doing the lookup after the eval is done and you have the final result for the field. And while calling lookup try to specify the field names

e.g. |lookup search_field as lookup_field

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...