Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating Field from Inputlookup

TooManyQuestion
Explorer
‎10-29-2020 05:45 PM

Hello.
I'm trying to create a field for all events in a search. The field is a value from a inpulookup. There is no shared fields between the lookup and the search in the conventional sense. The organization of my lookup is as follows

ID     email1                            email2                           email3

1      ex1@gmail..com        ex2@gmail..com       ex3@gmail..com

2     ex4@gmail..com        ex5@gmail..com        ex6@gmail..com

3     ex7@gmail..com        ex8@gmail..com         ex9@gmail..com

4     ex10@gmail..com      ex11@gmail..com      ex12@gmail..com

 

 

|inputlookup email.csv
            | search ID = "1"
            | strcat email1", " email2", " email3 emails
            | table emails

 

The above searches gives me my desired output of
emails=ex1@gmail.com, ex1@gmail.com, ex1@gmail.com

 

But when I pop in into an eval statement to give each event that field/value I get an error about a malformed eval.

Below is the eval I am trying to do.

 

index=main (insert search here)
|eval test =[|inputlookup email.csv
            | search ID = "1"
            | strcat email1", " email2", " email3 emails
            | return $emails
            ]

 

 

Any help would be greatly appreciated. Thanks!

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-29-2020 07:46 PM

Try

 

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-29-2020 07:46 PM

Try

 

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-29-2020 09:09 PM

Hi @renjith_nair / all, 

index=main | eval [|inputlookup ..... |return emails]

for SPL newbies, could someone explain this "eval" part, thanks. 

 

Best Regards,

Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

TooManyQuestion
Explorer
‎10-29-2020 07:54 PM

Thanks! That got me there! I knew I was just messing up something small and couldn't work it out.

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

Just had to remove the emails before the subsearch otherwise it gave me "emails emails" as the field name!

Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-29-2020 07:57 PM

Yes, removed extra field. My bad, I forgot that 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top