Re: How can I append additional custom values to e...

tehale · ‎10-27-2014

I have an inputlookup xy.csv which is used by multiple searches and has comma separated data. In one of my searches, I want to append a custom value of my desire say "abc" to one of fields (say myfield ) obtained from an inputlookup, keeping all the existing values. More specifically, myfield should have values as myfield=myfield and "abc". I do not want "abc" to be appended at the end of each field value, but I want 'abc' to be a value itself so I can use it furthur for dnslookup by appending domain details.

wpreston · ‎10-27-2014

One way would be to eval your custom value ("abc") along with a delimiting character (like a comma) onto whichever field you want it to became a value of, then use makemv to make your field into a multi-value field and split the new value into two separate values of the field. Something like this:

... your base search ... | myfield=myfield.",abc" | makemv myfield delim=","

The . in the eval is just a way of concatenating the values of myfield and ",abc" together. Try this out and see if it accomplishes what you need.

How can I append additional custom values to existing field values obtained from an inputlookup?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...