Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Creating Field from Inputlookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I'm trying to create a field for all events in a search. The field is a value from a inpulookup. There is no shared fields between the lookup and the search in the conventional sense. The organization of my lookup is as follows
ID email1 email2 email3
1 ex1@gmail..com ex2@gmail..com ex3@gmail..com
2 ex4@gmail..com ex5@gmail..com ex6@gmail..com
3 ex7@gmail..com ex8@gmail..com ex9@gmail..com
4 ex10@gmail..com ex11@gmail..com ex12@gmail..com
|inputlookup email.csv
| search ID = "1"
| strcat email1", " email2", " email3 emails
| table emails
The above searches gives me my desired output of
emails=ex1@gmail.com, ex1@gmail.com, ex1@gmail.com
But when I pop in into an eval statement to give each event that field/value I get an error about a malformed eval.
Below is the eval I am trying to do.
index=main (insert search here)
|eval test =[|inputlookup email.csv
| search ID = "1"
| strcat email1", " email2", " email3 emails
| return $emails
]
Any help would be greatly appreciated. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
index=main (insert search here)
|eval [|inputlookup email.csv
| search ID = "1"
| strcat email1 ", " email2 ", " email3 emails
| return emails
]
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
index=main (insert search here)
|eval [|inputlookup email.csv
| search ID = "1"
| strcat email1 ", " email2 ", " email3 emails
| return emails
]
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith_nair / all,
index=main | eval [|inputlookup ..... |return emails]for SPL newbies, could someone explain this "eval" part, thanks.
Best Regards,
Sekar
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That got me there! I knew I was just messing up something small and couldn't work it out.
index=main (insert search here)
|eval [|inputlookup email.csv
| search ID = "1"
| strcat email1 ", " email2 ", " email3 emails
| return emails
]Just had to remove the emails before the subsearch otherwise it gave me "emails emails" as the field name!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, removed extra field. My bad, I forgot that 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
