I am developing an apps, where I would like to normalize the value of a field coming from a lookup.
From the documentation of props.conf, it is clear that it is not possible to have an eval after a lookup. Though it is not really clear to me if the value from a lookup can be reused in another lookup.
For example in my props.conf I am trying to do something like this:
LOOKUP-01 = mykvstore kvstoref1 as eventf1 OUTPUT kvstoref2 as eventf2
LOOKUP-02 = mycsvlookup csvf1 as eventf2 OUTPUT csvf2 as eventf3
I extract a value from mykvstore and save it in event field eventf2. Then I want to use the value of the event field eventf2 to retrieve my normalized value and save it in eventf3. I am not able to have this example working but I can't find if this is because I am using wrong syntax, or if this is just not supported in Splunk.
What I really want, it is to have this normalization handled by the apps, and not having to do extra transformation when executing the search.
An easy way to assess if you are using the correct syntax is to enter this lookup command on the search. If it does not give you any error than the command is correct. In my splunk instalaltion I can use a lookup with a field from another lookup.
Thanks for the answer. When I am using the following in my search, indeed this is working. For example, something like:
* | lookup mykvstore kvstoref1 as eventf1 OUTPUT kvstoref2 as eventf2 | lookup mycsvlookup csvf1 as eventf2 OUTPUT csvf2 as eventf3
Though what I am really looking for, it is to have it working in my apps. Any idea how I can have it working?
Yes, I have an app with two lookups that works exactly as you mentioned, follow the props.conf:
LOOKUP-clients = clients host OUTPUTNEW client
LOOKUP-approval = approval domain client OUTPUTNEW approval
After that I can see on my search "sourcetype=sourcetype" returning client and approval fields for matching events.
Hope this helps.