https://community.splunk.com/t5/Splunk-Search/Dynamic-field-names-for-lookups/m-p/37115#M8255 <P>Hello,</P> <P>i have a scripted lookup which is working fine. i configured in the lookups that the field name is called clientip for lookups. </P> <P>now i want to make it more dynamic so that the lookup can also be used for other fields containing an ip address. those fields might be clientip, src_ip, source_ip, dst_ip, dest_ip and so on. </P> <P>currently i found only that i need to configure one lookup command for each field name or rename the field in a pre command. </P> <P><IMG src="http://splunk-base.splunk.com//storage/Bildschirmfoto_2013-08-16_um_08.54.35.png" alt="alt text" /> <IMG src="http://splunk-base.splunk.com//storage/Bildschirmfoto_2013-08-16_um_08.55.28.png" alt="alt text" /></P> <P>i want to make my app ip reputation more generic. so that someone can type </P> <PRE><CODE>... | lookup threatscore src_ip </CODE></PRE> <P>as well as </P> <PRE><CODE>... | lookup threatscore clientip </CODE></PRE> <P>or other field names depending what's required.</P> <P>Thanks a lot<BR /> Matthias</P> Mon, 28 Sep 2020 14:35:21 GMT Matthias_BY 2020-09-28T14:35:21Z https://community.splunk.com/t5/Splunk-Search/Dynamic-field-names-for-lookups/m-p/37115#M8255 <P>Hello,</P> <P>i have a scripted lookup which is working fine. i configured in the lookups that the field name is called clientip for lookups. </P> <P>now i want to make it more dynamic so that the lookup can also be used for other fields containing an ip address. those fields might be clientip, src_ip, source_ip, dst_ip, dest_ip and so on. </P> <P>currently i found only that i need to configure one lookup command for each field name or rename the field in a pre command. </P> <P><IMG src="http://splunk-base.splunk.com//storage/Bildschirmfoto_2013-08-16_um_08.54.35.png" alt="alt text" /> <IMG src="http://splunk-base.splunk.com//storage/Bildschirmfoto_2013-08-16_um_08.55.28.png" alt="alt text" /></P> <P>i want to make my app ip reputation more generic. so that someone can type </P> <PRE><CODE>... | lookup threatscore src_ip </CODE></PRE> <P>as well as </P> <PRE><CODE>... | lookup threatscore clientip </CODE></PRE> <P>or other field names depending what's required.</P> <P>Thanks a lot<BR /> Matthias</P> Mon, 28 Sep 2020 14:35:21 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-field-names-for-lookups/m-p/37115#M8255 Matthias_BY 2020-09-28T14:35:21Z https://community.splunk.com/t5/Splunk-Search/Dynamic-field-names-for-lookups/m-p/37116#M8256 <P>You could do the one lookup then just add "AS" so " | lookup threatscore ip AS src_ip" That will map the src_ip to the ip field from your lookup as you do it. </P> Mon, 28 Sep 2020 14:35:27 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-field-names-for-lookups/m-p/37116#M8256 starcher 2020-09-28T14:35:27Z https://community.splunk.com/t5/Splunk-Search/Dynamic-field-names-for-lookups/m-p/37117#M8257 <P>great this is working - so easy <span class="lia-unicode-emoji" title=":winking_face:">😉</span> thanks a lot</P> Fri, 16 Aug 2013 12:00:57 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-field-names-for-lookups/m-p/37117#M8257 Matthias_BY 2013-08-16T12:00:57Z