Hi all,

I am trying to use data models to extract a search time value from a lookup. However, the value I am using to join to the lookup table is extracted from the source. I have no other way to get the value other than from the file name.

For example, I have the following regex extraction against source. It is configured in both my data model and as a calculated field:

(?<SourceFolder>[\w-]+).(?<SourceIdentifier>\d+)[\D]+

When I preview or run a search, these fields get populated.

I also have a lookup that has the SourceIdentifier field with matching values. I configured a lookup field in DataModels to add some of the lookup fields to my searches. My lookup field configuration is at the bottom of the list.

When I preview or run a search, these fields do not get populated.

Splunk documentation says: "When Splunk software evaluates calculated fields, it evaluates each expression as if it were independent of all other fields. You cannot chain calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field." (https://docs.splunk.com/Documentation/Splunk/7.2.5/Knowledge/definecalcfields)

However, at the bottom of the data models page there is a message that says: "Calculated fields are processed in the order above, so ensure any dependent fields are defined first. Drag to rearrange." (You can find this message by clicking into an unaccelerated data model and scrolling to the bottom of the page.)

I've attempted to work on this issue in both Splunk Enterprise and Splunk Cloud. Both are running v 7.0.8.

Is what I am attempting to do possible?

If not, is there another route to accomplish the same thing?

Thank you!