https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646679#M223832 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Based on the source the env values get change, from the results I add a new field as 'env' using rex and then have to use the field value to differentiate the files specific to each env.</P> Mon, 12 Jun 2023 15:18:30 GMT Thulasinathan_M 2023-06-12T15:18:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646602#M223812 <P>Hi,</P> <P>I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eval fileName if condition is working fine, in the stats I could see the correct results(desired files I'm looking for).&nbsp;</P> <P>But I'm wondering whether I could use the filename in makeresults and search for lookup file. Could someone please assist. Thanks in advance.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=main sourcetype="dummySource" events | stats by EventCode | append [ | inputlookup states.csv | stats count as isAvailable ] | stats sum(isAvailable) as available, values(EventCode) as EventCode | eval fileName = if(available &gt; 0, "1.csv", "2.csv") | stats values(available) as available values(EventCode) as EventCode by fileName | join type=left fileName [| inputlookup [ | makeresults | eval search=fileName | table search ]]</LI-CODE> <P>&nbsp;</P> Mon, 12 Jun 2023 13:18:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646602#M223812 Thulasinathan_M 2023-06-12T13:18:01Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646619#M223815 <P>Essentially, you can't pass values from the outer search to the inner search, this is because, in general, the inner search is executed before the outer search.</P><P>One exception to this is the map command. However, the search which is executed for each event, replaces the event with its results.</P><P>You may be able to use this by doing the test first and use inputlookup to load the relevant csv file, then append your main search as a subsearch, then use stats to join your result to event from the lookup.</P> Mon, 12 Jun 2023 10:21:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646619#M223815 ITWhisperer 2023-06-12T10:21:01Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646622#M223817 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>, glad to know the sub-search runs first.<BR />The inner inputlookup gives me the correct fileNames, but when I try it with either of options neither worked, any suggestions on what I'm doing wrong please.<BR /><BR />Option1:<BR />| inputlookup [| makeresults<BR />[| inputlookup geo_attr_us_states.csv<BR />| stats count as isAvailable<BR />| eval fileName = if(isAvailable &gt; 0, "1.csv", "2.csv")<BR />| table fileName]]<BR /><BR />Option 2:<BR />| inputlookup [| makeresults<BR />[| inputlookup geo_attr_us_states.csv<BR />| stats count as isAvailable<BR />| eval fileName = if(isAvailable &gt; 0, "1.csv", "2.csv")<BR />| table fileName]<BR />| return $fileName]</P> Mon, 12 Jun 2023 10:43:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646622#M223817 Thulasinathan_M 2023-06-12T10:43:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646624#M223818 <P>Try something like this</P><LI-CODE lang="markup">| inputlookup geo_attr_us_states.csv | stats count as isAvailable | eval fileName = if(isAvailable &gt; 0, "1.csv", "2.csv") | eval lookup="| inputlookup ".fileName | map search="| makeresults | map search="$lookup$</LI-CODE> Mon, 12 Jun 2023 10:51:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646624#M223818 ITWhisperer 2023-06-12T10:51:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646648#M223820 <P>Thank you, it did the trick <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 12 Jun 2023 12:27:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646648#M223820 Thulasinathan_M 2023-06-12T12:27:40Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646668#M223826 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>Sorry,&nbsp; I misunderstood my existing flow and it's I've to add a field&nbsp; 'env' value from the main search. As I'm a newbie to splunk couldn't find a solution for this, could you please kindly assist.</P><LI-CODE lang="markup">index=main sourcetype=java ErrorCode=400 env=prod | join type=left ErrorCode [| inputlookup [| makeresults | eval search="Errors".env.strftime(now(),"%m%d").".csv" | table search] | stats count as isAvailable | eval fileName = if(isAvailable &gt; 0, "Errors".env.strftime(now(),"%m%d").".csv", "Errors".env.strftime(relative_time(now(), "-1d"),"%m%d").".csv") | eval lookup="| inputlookup ".fileName | map search="| makeresults | map search="$lookup$]</LI-CODE><P>&nbsp;</P> Mon, 12 Jun 2023 14:37:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646668#M223826 Thulasinathan_M 2023-06-12T14:37:25Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646676#M223829 <P>From your main search, env=prod so why not just use that string in the lookup file name?</P><P>&nbsp;</P> Mon, 12 Jun 2023 14:57:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646676#M223829 ITWhisperer 2023-06-12T14:57:42Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646679#M223832 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Based on the source the env values get change, from the results I add a new field as 'env' using rex and then have to use the field value to differentiate the files specific to each env.</P> Mon, 12 Jun 2023 15:18:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646679#M223832 Thulasinathan_M 2023-06-12T15:18:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646718#M223845 <P>Thanks, working now.!!!</P> Mon, 12 Jun 2023 18:48:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-value-from-outer-query-in-inputlookup/m-p/646718#M223845 Thulasinathan_M 2023-06-12T18:48:53Z