Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating Field from Inputlookup

TooManyQuestion
Explorer
‎10-29-2020 05:45 PM

Hello.
I'm trying to create a field for all events in a search. The field is a value from a inpulookup. There is no shared fields between the lookup and the search in the conventional sense. The organization of my lookup is as follows

ID     email1                            email2                           email3

1      ex1@gmail..com        ex2@gmail..com       ex3@gmail..com

2     ex4@gmail..com        ex5@gmail..com        ex6@gmail..com

3     ex7@gmail..com        ex8@gmail..com         ex9@gmail..com

4     ex10@gmail..com      ex11@gmail..com      ex12@gmail..com

 

 

|inputlookup email.csv
            | search ID = "1"
            | strcat email1", " email2", " email3 emails
            | table emails

 

The above searches gives me my desired output of
emails=ex1@gmail.com, ex1@gmail.com, ex1@gmail.com

 

But when I pop in into an eval statement to give each event that field/value I get an error about a malformed eval.

Below is the eval I am trying to do.

 

index=main (insert search here)
|eval test =[|inputlookup email.csv
            | search ID = "1"
            | strcat email1", " email2", " email3 emails
            | return $emails
            ]

 

 

Any help would be greatly appreciated. Thanks!

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-29-2020 07:46 PM

Try

 

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

 

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-29-2020 07:46 PM

Try

 

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

 

Happy Splunking!
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-29-2020 09:09 PM

Hi @renjith_nair / all, 

index=main | eval [|inputlookup ..... |return emails]

for SPL newbies, could someone explain this "eval" part, thanks. 

 

Best Regards,

Sekar

Reply
Solved! Jump to solution

TooManyQuestion
Explorer
‎10-29-2020 07:54 PM

Thanks! That got me there! I knew I was just messing up something small and couldn't work it out.

index=main (insert search here)
|eval [|inputlookup email.csv
            | search ID = "1"
            | strcat email1 ", " email2 ", " email3 emails
            | return emails
            ]

Just had to remove the emails before the subsearch otherwise it gave me "emails emails" as the field name!

Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-29-2020 07:57 PM

Yes, removed extra field. My bad, I forgot that 🙂

Happy Splunking!
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...