Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an error in the "Creating Splunk Knowledge Objects" eLearning course?

ctaf
Contributor
‎05-06-2016 03:54 AM

Hello,

I am currently following the "Creating Splunk Knowledge Objects" eLearning course but at one point, the teacher says:

"Calculated fields are evaluated after lookup are defined."

It is also written in red on the video.
This is situated at the "2- Aliases and Calc Fields" module --> "Manage Calc. Fields" --> 00:20 seconds.
And so the teacher insists that Calculated fields are not usable with lookup, but...

The props.conf documentation says something else:

"Splunk processes calculated fields after field extraction and field aliasing but before lookups"

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

cbreshears_splu
Splunk Employee
Splunk Employee
‎05-06-2016 11:52 AM

You are correct.

The statement should be :
"Lookup data can not be used in a calculated field, because lookup data does not exist at the time of calculation."
Not that calculated fields can not be used with lookups.

This bug will be fixed on next release of the course.

Here are the details from the Docs:

You cannot base calculated fields on lookup fields. It won't work if you try. This is because, as mentioned above, the evaluation of calculated fields takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.

View solution in original post

Reply
Solved! Jump to solution
Solution

cbreshears_splu
Splunk Employee
Splunk Employee
‎05-06-2016 11:52 AM

You are correct.

The statement should be :
"Lookup data can not be used in a calculated field, because lookup data does not exist at the time of calculation."
Not that calculated fields can not be used with lookups.

This bug will be fixed on next release of the course.

Here are the details from the Docs:

You cannot base calculated fields on lookup fields. It won't work if you try. This is because, as mentioned above, the evaluation of calculated fields takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-06-2016 12:22 PM

I converted this to the answer,

0 Karma
Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎05-06-2016 10:53 AM

i've let folks in the edu group know about this, they should post here when they confirm etc.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-06-2016 06:15 AM

I believe you are correct. The video is incorrect as eval occurs before lookups so that you can use the evaluated field in the lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...