Splunk Search

Can I use lookup output inside calculated field?

yuanliu
Builder

I have an attribute that is determined by two inputs, one with many possible values, the other few.  I can enlist them in a giant joint table for automatic lookup, but building and maintaining the table would be tedious.  I can put all criteria in one giant eval, but maintenance is a worse nightmare.  The most maintainable way to do this would be to lookup a map with the numerous input, then calculate with the sparse input.  The challenge is to do this automatically for all searches.

Because automatic lookup is performed after calculated field, I cannot access the lookup map as a new field.  My question is whether there is a way to explicitly invoke a lookup inside eval, like

 

EVAL-new_attrib = if(lookup(map1, value_of_many) == "X", xvaluefunct(value_of_few), elsefunct(value_of_few))

 

Here, new_attrib is the attribute I wanted, value_of_many and value_of_few are the two inputs.  I'm hoping that lookup(map1, value_of_many) would give me an output as if I use 

 

| lookup map_of_many value_of_many OUTPUT map1
| new_attrib = if(map1 == "X", xvaluefunct(value_of_few), elsefunct(value_of_few))

 

 

Labels (3)
0 Karma
1 Solution

venkatasri
Motivator

You can probably try macro for reusability. Define search macros in Settings - Splunk Documentation

-----------------------------------------------------------

An upvote would be appreciated if it helps!

View solution in original post

0 Karma

venkatasri
Motivator

You can probably try macro for reusability. Define search macros in Settings - Splunk Documentation

-----------------------------------------------------------

An upvote would be appreciated if it helps!

View solution in original post

0 Karma

yuanliu
Builder

Yes!  How can I forget macros😊

0 Karma

venkatasri
Motivator

Hi @yuanliu 

As per Splunk docs lookups get executed after calculated fields.

 

* Splunk software processes calculated fields after field extraction and
  field aliasing but before lookups. This means that:
  * You can use a field alias in the eval statement for a calculated
    field.
  * You cannot use a field added through a lookup in an eval statement for a
    calculated field.

 

Ref. link - props.conf - Splunk Documentation

You can use it in search query instead writing props.conf same way as you written second query. unfortunately there seems no way you can invoke lookup first inside eval.

-----------------------------------------------------------

An upvote would be appreciated if it helps!

 

yuanliu
Builder

Thank you for the reply.  The reason why I wanted  to evaluate this automatically is because this new field is to be used in so many searches.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.