Splunk Search

How do you use the lookup value as a variable?

New Member


I have the following lookup, which is basically a mapping lookup:
lookup name: "scoring_rules"

source , field_to_use , aggregated_risk_layer
"many FW alerts",src,L1
"virus found", dest,L1
"direct ssh connection",target_ip,L1

i have the following rows under index=notable and I want to get the marked field according to the lookup mapping:

 search_name="many FW alerts" src=**** dest= target_ip=  action=allow
 search_name="virus found" src= dest=**** target_ip=  action=allow
 search_name="direct ssh connection" src= dest= target_ip=****  action=allow

Now, I want the lookup value to be the variable to assign the value from the _raw with the relevant mapped field. something like that:

index=notable search_name=*
| lookup local=true search_name source as search_name 
| eval src=field_to_use.value_from_lookup_to_be_the_var
Tags (3)
0 Karma


Hi lozarich007,
Have you worked out the solution for your case? I have the same scenario here and looking for assistance.

0 Karma


You can cheat using foreach:

base search OR'ing all thse variations
| lookup search_name source as search_name
| foreach src dest target_ip and all other fields your lookup can refer to, or * if you want to be lazy
  [eval output = if(field_to_use="<<FIELD>>", '<<FIELD>>', output)]
| do stuff with the output field
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...