Splunk Search

Can I use lookup output inside calculated field?

yuanliu
SplunkTrust
SplunkTrust

I have an attribute that is determined by two inputs, one with many possible values, the other few.  I can enlist them in a giant joint table for automatic lookup, but building and maintaining the table would be tedious.  I can put all criteria in one giant eval, but maintenance is a worse nightmare.  The most maintainable way to do this would be to lookup a map with the numerous input, then calculate with the sparse input.  The challenge is to do this automatically for all searches.

Because automatic lookup is performed after calculated field, I cannot access the lookup map as a new field.  My question is whether there is a way to explicitly invoke a lookup inside eval, like

 

EVAL-new_attrib = if(lookup(map1, value_of_many) == "X", xvaluefunct(value_of_few), elsefunct(value_of_few))

 

Here, new_attrib is the attribute I wanted, value_of_many and value_of_few are the two inputs.  I'm hoping that lookup(map1, value_of_many) would give me an output as if I use 

 

| lookup map_of_many value_of_many OUTPUT map1
| new_attrib = if(map1 == "X", xvaluefunct(value_of_few), elsefunct(value_of_few))

 

 

Labels (3)
1 Solution

venkatasri
SplunkTrust
SplunkTrust

You can probably try macro for reusability. Define search macros in Settings - Splunk Documentation

-----------------------------------------------------------

An upvote would be appreciated if it helps!

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

You can probably try macro for reusability. Define search macros in Settings - Splunk Documentation

-----------------------------------------------------------

An upvote would be appreciated if it helps!

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Yes!  How can I forget macros😊

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @yuanliu 

As per Splunk docs lookups get executed after calculated fields.

 

* Splunk software processes calculated fields after field extraction and
  field aliasing but before lookups. This means that:
  * You can use a field alias in the eval statement for a calculated
    field.
  * You cannot use a field added through a lookup in an eval statement for a
    calculated field.

 

Ref. link - props.conf - Splunk Documentation

You can use it in search query instead writing props.conf same way as you written second query. unfortunately there seems no way you can invoke lookup first inside eval.

-----------------------------------------------------------

An upvote would be appreciated if it helps!

 

yuanliu
SplunkTrust
SplunkTrust

Thank you for the reply.  The reason why I wanted  to evaluate this automatically is because this new field is to be used in so many searches.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...