Solved: Passing Variable to Inputlookup

geekf · ‎04-28-2020

I am running a query to find the list of users that received an email from a particular email address. This is working fine until I try to get more details by using Inputlookup. I want to use Inputlookup to get more details about the users like their department, location, etc which can only be done through that. I need to pass the results from the search to get the other details. The search lists all the userids since I strip out the domain by using the regex.

Here is my query:

sourcettype=sendmail to=* [ search sourcetype=sendmail from=email@gmail.com | fields qid] | rex field=orig_recipient "(?[^@]+)" | dedup orig_recipient | inputlookup append=t identity_lookup_expanded where * identity=$orig_recipient$] | table orig_recipient dept email some other fields

Any help would be appreciated!

richgalloway · ‎04-28-2020

The $ operator only applies in the map command and when referencing inputs to a dashboard.
Why use inputlookup here? Why not lookup identity_lookup_expanded email as orig_recipient OUTPUT bunit, work_city, work_country?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-28-2020

The $ operator only applies in the map command and when referencing inputs to a dashboard.
Why use inputlookup here? Why not lookup identity_lookup_expanded email as orig_recipient OUTPUT bunit, work_city, work_country?

---
If this reply helps you, Karma would be appreciated.

geekf · ‎04-28-2020

This worked perfectly!
Thanks a lot for your prompt response...

Passing Variable to Inputlookup

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices