Knowledge Management

Is there an error in the "Creating Splunk Knowledge Objects" eLearning course?

ctaf
Contributor

Hello,

I am currently following the "Creating Splunk Knowledge Objects" eLearning course but at one point, the teacher says:

"Calculated fields are evaluated after lookup are defined."

It is also written in red on the video.
This is situated at the "2- Aliases and Calc Fields" module --> "Manage Calc. Fields" --> 00:20 seconds.
And so the teacher insists that Calculated fields are not usable with lookup, but...

The props.conf documentation says something else:

"Splunk processes calculated fields after field extraction and field aliasing but before lookups"

Tags (1)
1 Solution

cbreshears_splu
Splunk Employee
Splunk Employee

You are correct.

The statement should be :
"Lookup data can not be used in a calculated field, because lookup data does not exist at the time of calculation."
Not that calculated fields can not be used with lookups.

This bug will be fixed on next release of the course.

Here are the details from the Docs:

You cannot base calculated fields on lookup fields. It won't work if you try. This is because, as mentioned above, the evaluation of calculated fields takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.

View solution in original post

cbreshears_splu
Splunk Employee
Splunk Employee

You are correct.

The statement should be :
"Lookup data can not be used in a calculated field, because lookup data does not exist at the time of calculation."
Not that calculated fields can not be used with lookups.

This bug will be fixed on next release of the course.

Here are the details from the Docs:

You cannot base calculated fields on lookup fields. It won't work if you try. This is because, as mentioned above, the evaluation of calculated fields takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.

jkat54
SplunkTrust
SplunkTrust

I converted this to the answer,

0 Karma

piebob
Splunk Employee
Splunk Employee

i've let folks in the edu group know about this, they should post here when they confirm etc.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I believe you are correct. The video is incorrect as eval occurs before lookups so that you can use the evaluated field in the lookup.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...