Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an error in the "Creating Splunk Knowledge Objects" eLearning course?

ctaf
Contributor
‎05-06-2016 03:54 AM

Hello,

I am currently following the "Creating Splunk Knowledge Objects" eLearning course but at one point, the teacher says:

"Calculated fields are evaluated after lookup are defined."

It is also written in red on the video.
This is situated at the "2- Aliases and Calc Fields" module --> "Manage Calc. Fields" --> 00:20 seconds.
And so the teacher insists that Calculated fields are not usable with lookup, but...

The props.conf documentation says something else:

"Splunk processes calculated fields after field extraction and field aliasing but before lookups"

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

cbreshears_splu
Splunk Employee
Splunk Employee
‎05-06-2016 11:52 AM

You are correct.

The statement should be :
"Lookup data can not be used in a calculated field, because lookup data does not exist at the time of calculation."
Not that calculated fields can not be used with lookups.

This bug will be fixed on next release of the course.

Here are the details from the Docs:

You cannot base calculated fields on lookup fields. It won't work if you try. This is because, as mentioned above, the evaluation of calculated fields takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.

View solution in original post

Reply
Solved! Jump to solution
Solution

cbreshears_splu
Splunk Employee
Splunk Employee
‎05-06-2016 11:52 AM

You are correct.

The statement should be :
"Lookup data can not be used in a calculated field, because lookup data does not exist at the time of calculation."
Not that calculated fields can not be used with lookups.

This bug will be fixed on next release of the course.

Here are the details from the Docs:

You cannot base calculated fields on lookup fields. It won't work if you try. This is because, as mentioned above, the evaluation of calculated fields takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-06-2016 12:22 PM

I converted this to the answer,

0 Karma
Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎05-06-2016 10:53 AM

i've let folks in the edu group know about this, they should post here when they confirm etc.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-06-2016 06:15 AM

I believe you are correct. The video is incorrect as eval occurs before lookups so that you can use the evaluated field in the lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...