Hi all,
I am quite new to Splunk and now trying to create a dashboard panel using a query that does the following:
The csv looks something like this:
code, notes
123, User
456, Admin
789, User
Example of my query:
index=userdatabase "abc12345"
| eval abc=[|inputlookup Lookup.csv | where code=opsID| fields notes]
| eval isPresent=if(abc!="", YES, NO)
| table username, isPresent
However I am getting errors like Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'. I tried for a few days can't seem to figure it out my mistake, hence hoping for some help over my basic question.. I got a feeling my logic could be wrong to begin with
Hi @desperate,
You can try below;
index=userdatabase "abc12345"
| lookup Lookup.csv code as opsID OUTPUT notes
| eval isPresent=if(isnotnull(notes), "YES", "NO")
| table username, isPresent
Hi @desperate,
you should read the documentation about lookup command at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Lookup and it could be a good idea to follow the Splunk Search Tutorial to better learn abou SPL http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial .
Anyway, to solve your problem, please try this:
index=userdatabase "abc12345"
| lookup Lookup.csv code AS opsID OUTPUT notes
| where notes=*
| table code notes
Ciao.
Giuseppe
Hi @desperate,
You can try below;
index=userdatabase "abc12345"
| lookup Lookup.csv code as opsID OUTPUT notes
| eval isPresent=if(isnotnull(notes), "YES", "NO")
| table username, isPresent