Splunk Search

Evaluate search with lookup field?

gljiva
Path Finder

Hi, I'm having problem with evaluating expression using lookup field. I create a lookup fileld by executing this search:
some search| stats avg(count) as Average | outputlookup Average.csv

Next i would like to use this value in other searches to evaluate some field with saved lookup value. I tried using lookup command but i can not append single field to all results, i can append field to separate entry but then i cant do: eval field1 > field2.

Any suggestions?
thx

0 Karma
1 Solution

Paolo_Prigione
Builder

What about using a fake lookup-field? Something like:

some search | stats avg(count) as Average | eval keyfield=12345 | outputlookup Average.csv

which will save two columns in the csv file: "keyfield" and "Average". Then, when you run the actual search you could do:

query search | eval keyfield=12345 | lookup Average.csv keyfield OUTPUT Average | where somefield > Average

in order to retrieve the stored value and filter results based on the stored Average.

View solution in original post

Paolo_Prigione
Builder

What about using a fake lookup-field? Something like:

some search | stats avg(count) as Average | eval keyfield=12345 | outputlookup Average.csv

which will save two columns in the csv file: "keyfield" and "Average". Then, when you run the actual search you could do:

query search | eval keyfield=12345 | lookup Average.csv keyfield OUTPUT Average | where somefield > Average

in order to retrieve the stored value and filter results based on the stored Average.

gljiva
Path Finder

Thanks, this works!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...