Solved: Re: How to append dynamic value to end of search

ub_ik · ‎03-15-2022

Dear Community

I am looking for a way to add a static and a dynamic value at the end of a search to track the status of the (saved) search. I would like to add the dynamic value to be extraced from an CSV-File.

|...base search...
| table index, sourcetype, _time.....

| append
    [ makeresults
    | eval status="completed"
    | eval ID = missionID<field from input.csv>   
    ]

Any help is appreciated.

ITWhisperer · ‎03-16-2022

|...base search...
| table index, sourcetype, _time.....

| append
    [ | inputlookup input.csv 
    | eval status="completed"]

View solution in original post

ITWhisperer · ‎03-15-2022

Would something like this work for you?

|...base search...
| table index, sourcetype, _time.....

| append
    [ | makeresults
    | eval status="completed"   
    ]
| append
    [ | inputlookup input.csv ]

ub_ik · ‎03-16-2022

Thx for your answer. Unfortunately not. I need the field from the lookup on the same line as

the other evals in the first append.

ITWhisperer · ‎03-16-2022

|...base search...
| table index, sourcetype, _time.....

| append
    [ | inputlookup input.csv 
    | eval status="completed"]

ub_ik · ‎03-16-2022

life could be soo easy. thx a lot for your expertise.

How to append dynamic value to end of search?

lookup

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!