How to access fields within a subsearch / Inputloo...

wrussell12 · ‎06-03-2019

I cannot figure out how to use a variable to relate to a inputlookup csv field.

service_tier.csv

region, plan, price
USA, tier2, 100
CAN, tier1, 25

user_service_plans.csv

user, plan
mike, tier1
james, tier2

regions.csv

type, address, region
home, abc123, usa
work, 123cba, usa
home, xyz123, can
work 321xyz, can

I have a search that returns me a user, and their current region. I want to determine which address they have

the eval user, and eval TYPE are empty in the sub searches. If I hardcode the | where USER="mike" and | where type="HOME" I get the correct results.

How do I make my search visible to the subsearch lookups?

DavidHourani · ‎06-04-2019

Hi @wrussell12,

Use this instead to combine your three csv files together at minimum resource cost :

|inputlookup user_service_plans.csv where plan="tier1" AND user="mike" 
| lookup  service_tier.csv  plan
| eval region=lower(region), type="home" 
|lookup regions.csv region, type

Cheers,
David

harshpatel · ‎06-03-2019

Hi @wrussell12,

You can use command lookup.

For example:

| inputlookup service_tier.csv 
| eval user="mike" 
| eval TYPE="home" 
| lookup your_lookup.csv field1_from_lookup, field2_from_lookup output new_field_from_lookup

But keep in mind: lookup and join differences

If your use case requires you to use join then you can find this helpful - join.

wrussell12 · ‎06-03-2019

Am I doing this wrong? How an search a lookup for specific field(s)

How to access fields within a subsearch / Inputlookup

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!