Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Applying an inputlookup across a list of values

bpenny
Explorer
‎04-08-2025 08:11 AM

We have a use case where some JSON being ingested into Splunk contains a list of values like this:

        "message_set": [
            {
                "type": 9
            },
            {
                "type": 22
            },
            {
                "type": 15
            },
...
        ],

That list has an arbitrary length, so it could contain anywhere from one up to around 30 "type" values. Splunk is parsing the JSON just fine, so these fields can be referenced as "message_info.message_set{}.type" in searches.

I'd like to set up an inputlookup that maps these numerical values to more descriptive text. Is there a way to apply an inputlookup across an entire list of arbitrary size like this, or would I need to explicitly add an inputlookup definition for each individual index in the list? I'd ultimately like to add these as LOOKUP settings in the sourcetype for this data so that they're automatically applied for all searches.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-09-2025 07:13 AM

Hi @bpenny 

If you're looking to do it as an automatic lookup then you should be able to use the following, configured from Settings -> Lookups -> Automatic Lookups.

livehybrid_0-1744207880079.png

Or as a props.conf:

[yourSourceType]
LOOKUP-lookup1 = yourLookupName type AS "msg.message_set{}.type" OUTPUTNEW typeDescription AS typeDescription

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-08-2025 08:33 AM

Hi @bpenny 

You should be able to do a simple lookup for this, something like this:

| lookup typesEnrich.csv type AS msg.message_set{}.type OUTPUT typeDescription

 

To demonstrate this I've created a sample lookup file:

| makeresults count=1
| eval type=1, typeDescription="Type A"
| append [ | makeresults count=1 | eval type=2, typeDescription="Type B" ]
| append [ | makeresults count=1 | eval type=3, typeDescription="Type C" ]
| append [ | makeresults count=1 | eval type=4, typeDescription="Type D" ]
| append [ | makeresults count=1 | eval type=5, typeDescription="Type E" ]
| append [ | makeresults count=1 | eval type=6, typeDescription="Type F" ]
| table type typeDescription
| outputlookup typesEnrich.csv

Then using some sample data we can emulate your use-case (hopefully!)

| makeresults
| eval json_data = "{\"msg\":{\"message_set\": [{\"type\": 1}, {\"type\": 2}, {\"type\": 4}]}}"
| eval _raw=json_extract(json_data,"")
| table _raw
| spath input=_raw
| lookup typesEnrich.csv type AS msg.message_set{}.type OUTPUT typeDescription

Which gives the following:

livehybrid_0-1744126386752.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

bpenny
Explorer
‎04-09-2025 06:32 AM

Thanks, @livehybrid, this is very close to what I need. What I ultimately want though, is to make these automatic lookups. We actually have about ten different ones that we need to apply to this particular sourcetype. I just can't seem to figure out how to add something like msg.message_set{}.type to an automatic lookup and have it work.

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-09-2025 07:13 AM

Hi @bpenny 

If you're looking to do it as an automatic lookup then you should be able to use the following, configured from Settings -> Lookups -> Automatic Lookups.

livehybrid_0-1744207880079.png

Or as a props.conf:

[yourSourceType]
LOOKUP-lookup1 = yourLookupName type AS "msg.message_set{}.type" OUTPUTNEW typeDescription AS typeDescription

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-08-2025 08:25 AM

Check out the lookup function.  It should do what you want and put the results in a separate JSON array.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...