Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I use inputlookup to create table of string matches from raw events?

digital_alchemy
Path Finder
‎10-30-2013 11:26 AM

I need to match strings contained in a .csv lookup file to the raw events since there are no field extractions for these strings. I would also like to export this data to a table.

I'm using the following search:

*[| inputlookup MY_LOOKUP_FILE.csv | rename COLUMN_HEADER as search | fields search | format] | eval rawText= _raw | eval hit=[| inputlookup MY_LOOKUP_FILE.csv | stats values(COLUMN_HEADER) as query | eval query=mvjoin(query,",") | fields query | eval query = "".query.""] | eval hit=split(hit,",") | mvexpand hit | eval hit=lower(hit) | eval rawText=lower(rawText) | where like(rawText,"%"+hit+"%") | TABLE *

When I run this search I'm getting the following error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'.

I can't seem to get this search to work and I'm not sure what the error is.

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

digital_alchemy
Path Finder
‎10-30-2013 01:35 PM

Ok Figured out that I had a typo I had mistyped the column header in the evals.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

digital_alchemy
Path Finder
‎10-30-2013 01:35 PM

Ok Figured out that I had a typo I had mistyped the column header in the evals.

0 Karma
Reply
Solved! Jump to solution

rgcurry
Contributor
‎10-30-2013 12:10 PM

Without knowing your data or situation, I am curious as to what is keeping you or someone from creating the field extractions needed/wanted to make this work? You could also use the rex command to dynamically create fields from the raw data. Have you played with the Field Extracions page in Manager?

As for the malformed eval error, your search is quite generic to me and I don't see the error. What I do in a situation where I have a lot of evals and cannot see which one is in err is to remove all but the first and run the search, if it works, add the next one back and rerun; repeat as needed until the solution is found.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...