Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating Field from Inputlookup

TooManyQuestion
Explorer
‎10-29-2020 05:45 PM

Hello.
I'm trying to create a field for all events in a search. The field is a value from a inpulookup. There is no shared fields between the lookup and the search in the conventional sense. The organization of my lookup is as follows

ID     email1                            email2                           email3

1      ex1@gmail..com        ex2@gmail..com       ex3@gmail..com

2     ex4@gmail..com        ex5@gmail..com        ex6@gmail..com

3     ex7@gmail..com        ex8@gmail..com         ex9@gmail..com

4     ex10@gmail..com      ex11@gmail..com      ex12@gmail..com

 

 

|inputlookup email.csv
            | search ID = "1"
            | strcat email1", " email2", " email3 emails
            | table emails

 

The above searches gives me my desired output of
emails=ex1@gmail.com, ex1@gmail.com, ex1@gmail.com

 

But when I pop in into an eval statement to give each event that field/value I get an error about a malformed eval.

Below is the eval I am trying to do.

 

index=main (insert search here)
|eval test =[|inputlookup email.csv
            | search ID = "1"
            | strcat email1", " email2", " email3 emails
            | return $emails
            ]

 

 

Any help would be greatly appreciated. Thanks!

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-29-2020 07:46 PM

Try

 

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-29-2020 07:46 PM

Try

 

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-29-2020 09:09 PM

Hi @renjith_nair / all, 

index=main | eval [|inputlookup ..... |return emails]

for SPL newbies, could someone explain this "eval" part, thanks. 

 

Best Regards,

Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

TooManyQuestion
Explorer
‎10-29-2020 07:54 PM

Thanks! That got me there! I knew I was just messing up something small and couldn't work it out.

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

Just had to remove the emails before the subsearch otherwise it gave me "emails emails" as the field name!

Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-29-2020 07:57 PM

Yes, removed extra field. My bad, I forgot that 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top