Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Create fields from the lookup content

corti77
Contributor
‎09-07-2021 12:56 AM

Hi,

In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary.

the format of the csv file (test.csv) is the following (this format could be changed based on the answers to this post)

Threshold          Value

name1                 value1

name2                 value2

the only way to do what I want is the following query

| eval tempField="name1"
| lookup test.csv Threshold as tempField OUTPUT Value as test1value

 

any better or more efficient way of doing this?

I was imagining something like the line below but it didnt manage to make it work.

| lookup test.csv Threshold  as "name1" OUTPUT Value as test1value

thanks!

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2021 02:36 AM

Are you looking to have both values available at the same time? If so, you might consider changing your lookup to 

testvalue1testvalue2
value1value2

then use inputlookup to add them to your search

0 Karma
Reply

corti77
Contributor
‎09-07-2021 06:00 AM

I created the CSV the way you proposed as I need to have both fields at the same time and I tried the following

index=_internal
| head 5
| inputlookup append=t test.csv

but it only creates new columns in a new event

corti77_0-1631019603698.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2021 06:43 AM 
index=_internal
| head 5
| inputlookup append=t test.csv
| eventstats values(CriticalDefault) as CriticalDefault values(WarningDefault) as WarningDefault
| where isnotnull(_raw)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...