Splunk Search

Add fields in lookup with request without using index or sourcetype

AlexH
Engager

looHi everybody, 

i hope you can help me with my pb.

i want add fields in a lookup with a request that dont use index ..

We dont have result so i use the fillnull option en appendpipe to create result but they don't want add the bnew fields in a lookup..

the KV store fields are fixed and defined in transforms.conf and collections.conf.

for example :

 

| table key,Category,activation,target,tester,url
|fillnull
| appendpipe [ stats count
| eval Category = "HOST Blacklist"
| eval activation = "09/15/21"
| eval target = "Un test ajout"
| eval url = "http://www.test.html"
| eval tester = "*test.html*"
| eval key=Category.tester.target
| where count==0]
| fields - count
| table key,Category,activation,target,tester,url
| outputlookup t_lookup append=True override_if_empty=false key_field=key

i see my event in search interface but not in my lookup ..

have you an idea for adding field like this??

thanks for your help

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval Category = "HOST Blacklist"
| eval activation = "09/15/21"
| eval target = "Un test ajout"
| eval url = "http://www.test.html"
| eval tester = "*test.html*"
| eval key=Category.tester.target
| table key,Category,activation,target,tester,url
| outputlookup t_lookup append=True override_if_empty=false key_field=key

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval Category = "HOST Blacklist"
| eval activation = "09/15/21"
| eval target = "Un test ajout"
| eval url = "http://www.test.html"
| eval tester = "*test.html*"
| eval key=Category.tester.target
| table key,Category,activation,target,tester,url
| outputlookup t_lookup append=True override_if_empty=false key_field=key

AlexH
Engager

thks a lot that good !!

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...