Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I use lookup output inside calculated field?

yuanliu
SplunkTrust
SplunkTrust
‎05-19-2021 04:54 PM

I have an attribute that is determined by two inputs, one with many possible values, the other few.  I can enlist them in a giant joint table for automatic lookup, but building and maintaining the table would be tedious.  I can put all criteria in one giant eval, but maintenance is a worse nightmare.  The most maintainable way to do this would be to lookup a map with the numerous input, then calculate with the sparse input.  The challenge is to do this automatically for all searches.

Because automatic lookup is performed after calculated field, I cannot access the lookup map as a new field.  My question is whether there is a way to explicitly invoke a lookup inside eval, like

 

EVAL-new_attrib = if(lookup(map1, value_of_many) == "X", xvaluefunct(value_of_few), elsefunct(value_of_few))

 

Here, new_attrib is the attribute I wanted, value_of_many and value_of_few are the two inputs.  I'm hoping that lookup(map1, value_of_many) would give me an output as if I use 

 

| lookup map_of_many value_of_many OUTPUT map1
| new_attrib = if(map1 == "X", xvaluefunct(value_of_few), elsefunct(value_of_few))

 

 

Labels (3)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎05-19-2021 11:27 PM

You can probably try macro for reusability. Define search macros in Settings - Splunk Documentation

-----------------------------------------------------------

An upvote would be appreciated if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎05-19-2021 11:27 PM

You can probably try macro for reusability. Define search macros in Settings - Splunk Documentation

-----------------------------------------------------------

An upvote would be appreciated if it helps!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-19-2021 11:57 PM

Yes!  How can I forget macros😊

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎05-19-2021 10:14 PM

Hi @yuanliu 

As per Splunk docs lookups get executed after calculated fields.

 

* Splunk software processes calculated fields after field extraction and
  field aliasing but before lookups. This means that:
  * You can use a field alias in the eval statement for a calculated
    field.
  * You cannot use a field added through a lookup in an eval statement for a
    calculated field.

 

Ref. link - props.conf - Splunk Documentation

You can use it in search query instead writing props.conf same way as you written second query. unfortunately there seems no way you can invoke lookup first inside eval.

-----------------------------------------------------------

An upvote would be appreciated if it helps!

 

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-19-2021 11:06 PM

Thank you for the reply.  The reason why I wanted  to evaluate this automatically is because this new field is to be used in so many searches.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...