Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create a new field at index-time using a lookup?

LewisWheeler
Communicator
‎05-10-2016 09:00 PM

I have a challenge where I want to place a static field (at index-time, NOT search-time) onto events as they are indexed.

The value of this new field must be from a lookup, based upon data already in _raw.

Lets assume the REX we need to extract here the value to be looked up is:

Test Location:(?<valueToLookup>[0-9.])*

Can anyone help me with code samples on how to then use valueToLookup to create a new field called resolvedLookupAtIndex so it appears as a static field?

NB: I have a separate search head vs indexer environment.

Reply
1 Solution
Solved! Jump to solution
Solution

teekayx
Path Finder
‎10-12-2016 01:24 AM

You probably may have found out by now but just in case .. Lookups cannot be done at index time but only at search time. Refer to this and this answers. If its still something you are pondering on, you can explain why it cannot be a search time lookup to discuss possible options.

View solution in original post

Reply
Solved! Jump to solution
Solution

teekayx
Path Finder
‎10-12-2016 01:24 AM

You probably may have found out by now but just in case .. Lookups cannot be done at index time but only at search time. Refer to this and this answers. If its still something you are pondering on, you can explain why it cannot be a search time lookup to discuss possible options.

Reply
Solved! Jump to solution

LewisWheeler
Communicator
‎10-12-2016 01:38 AM

I did thanks, I spoke to someone at the last Splunk Live in London and confirmed this - thanks for adding an answer though.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...