- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- In an apps can I reuse lookup result to be used in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In an apps can I reuse lookup result to be used in another lookup?
I am developing an apps, where I would like to normalize the value of a field coming from a lookup.
From the documentation of props.conf, it is clear that it is not possible to have an eval after a lookup. Though it is not really clear to me if the value from a lookup can be reused in another lookup.
For example in my props.conf I am trying to do something like this:
LOOKUP-01 = mykvstore kvstoref1 as eventf1 OUTPUT kvstoref2 as eventf2
LOOKUP-02 = mycsvlookup csvf1 as eventf2 OUTPUT csvf2 as eventf3
I extract a value from mykvstore and save it in event field eventf2. Then I want to use the value of the event field eventf2 to retrieve my normalized value and save it in eventf3. I am not able to have this example working but I can't find if this is because I am using wrong syntax, or if this is just not supported in Splunk.
What I really want, it is to have this normalization handled by the apps, and not having to do extra transformation when executing the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
An easy way to assess if you are using the correct syntax is to enter this lookup command on the search. If it does not give you any error than the command is correct. In my splunk instalaltion I can use a lookup with a field from another lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer. When I am using the following in my search, indeed this is working. For example, something like:
* | lookup mykvstore kvstoref1 as eventf1 OUTPUT kvstoref2 as eventf2 | lookup mycsvlookup csvf1 as eventf2 OUTPUT csvf2 as eventf3
Though what I am really looking for, it is to have it working in my apps. Any idea how I can have it working?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have an app with two lookups that works exactly as you mentioned, follow the props.conf:
[sourcetype]
LOOKUP-clients = clients host OUTPUTNEW client
LOOKUP-approval = approval domain client OUTPUTNEW approval
After that I can see on my search "sourcetype=sourcetype" returning client and approval fields for matching events.
Hope this helps.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
