topic Creating Field from Inputlookup in Splunk Search

Creating Field from Inputlookup

TooManyQuestion — Fri, 30 Oct 2020 00:46:15 GMT

Hello.
I'm trying to create a field for all events in a search. The field is a value from a inpulookup. There is no shared fields between the lookup and the search in the conventional sense. The organization of my lookup is as follows

ID email1 email2 email3

1 ex1@gmail..com ex2@gmail..com ex3@gmail..com

2 ex4@gmail..com ex5@gmail..com ex6@gmail..com

3 ex7@gmail..com ex8@gmail..com ex9@gmail..com

4 ex10@gmail..com ex11@gmail..com ex12@gmail..com

|inputlookup email.csv | search ID = "1" | strcat email1", " email2", " email3 emails | table emails

The above searches gives me my desired output of
emails=ex1@gmail.com, ex1@gmail.com, ex1@gmail.com

But when I pop in into an eval statement to give each event that field/value I get an error about a malformed eval.

Below is the eval I am trying to do.

Any help would be greatly appreciated. Thanks!

Re: Creating Field from Inputlookup

renjith_nair — Fri, 30 Oct 2020 02:56:42 GMT

Try

Re: Creating Field from Inputlookup

TooManyQuestion — Fri, 30 Oct 2020 02:54:13 GMT

Thanks! That got me there! I knew I was just messing up something small and couldn't work it out.

Just had to remove the emails before the subsearch otherwise it gave me "emails emails" as the field name!

Re: Creating Field from Inputlookup

renjith_nair — Fri, 30 Oct 2020 02:57:43 GMT

Yes, removed extra field. My bad, I forgot that 🙂

Re: Creating Field from Inputlookup

inventsekar — Fri, 30 Oct 2020 04:09:04 GMT

Hi @renjith_nair / all,

index=main | eval [|inputlookup ..... |return emails]

for SPL newbies, could someone explain this "eval" part, thanks.

Best Regards,

Sekar