Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use an eval where the final value is pulled out of a lookup file?

jacqu3sy
Path Finder
‎09-30-2019 07:06 AM

How do I use an eval where the final value is pulled out of a lookup file.?

Trying to use the following but cant get it to work;

| eval severity=if( | inputlookup severity_values.csv dest OUTPUT severity),"medium","high")
|Stats count by dest, severity

With a csv that looks as follows;

dest, severity
server1, high
server2, medium
server3, low

Thanks.

0 Karma
Reply

jacobpevans
Motivator
‎09-30-2019 07:23 AM

Greetings @jacqu3sy,

Assuming you have a field called dest in your events, try this:

| lookup severity_values.csv dest as dest
| stats count by dest, severity
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

jacqu3sy
Path Finder
‎10-01-2019 12:38 AM

This will not allow me to OUTPUT the severity field, nor function within an IF statement as required.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...