Solved: Re: How to use field value from outer query in inp...

Thulasinathan_M · ‎06-12-2023

Hi,

I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eval fileName if condition is working fine, in the stats I could see the correct results(desired files I'm looking for).

But I'm wondering whether I could use the filename in makeresults and search for lookup file. Could someone please assist. Thanks in advance.

index=main sourcetype="dummySource"  events
| stats by EventCode
| append [ | inputlookup states.csv | stats count as isAvailable ]
| stats sum(isAvailable) as available, values(EventCode) as EventCode
| eval fileName = if(available > 0, "1.csv", "2.csv")
| stats values(available) as available values(EventCode) as EventCode by fileName
| join type=left fileName 
   [| inputlookup [ | makeresults 
    | eval search=fileName
    | table search ]]

ITWhisperer · ‎06-12-2023

Try something like this

| inputlookup geo_attr_us_states.csv
| stats count as isAvailable
| eval fileName = if(isAvailable > 0, "1.csv", "2.csv")
| eval lookup="| inputlookup ".fileName
| map search="| makeresults | map search="$lookup$

View solution in original post

Thulasinathan_M · ‎06-12-2023

ITWhisperer · ‎06-12-2023

Try something like this

| inputlookup geo_attr_us_states.csv
| stats count as isAvailable
| eval fileName = if(isAvailable > 0, "1.csv", "2.csv")
| eval lookup="| inputlookup ".fileName
| map search="| makeresults | map search="$lookup$

Thulasinathan_M · ‎06-12-2023

Hi @ITWhisperer ,

Sorry, I misunderstood my existing flow and it's I've to add a field 'env' value from the main search. As I'm a newbie to splunk couldn't find a solution for this, could you please kindly assist.

index=main sourcetype=java ErrorCode=400 env=prod
| join type=left ErrorCode
[| inputlookup [| makeresults 
        | eval search="Errors".env.strftime(now(),"%m%d").".csv" 
        | table search]
| stats count as isAvailable
| eval fileName = if(isAvailable > 0, "Errors".env.strftime(now(),"%m%d").".csv", "Errors".env.strftime(relative_time(now(), "-1d"),"%m%d").".csv")
| eval lookup="| inputlookup ".fileName
| map search="| makeresults | map search="$lookup$]

ITWhisperer · ‎06-12-2023

From your main search, env=prod so why not just use that string in the lookup file name?

Thulasinathan_M · ‎06-12-2023

Thanks, working now.!!!

Thulasinathan_M · ‎06-12-2023

@ITWhisperer Based on the source the env values get change, from the results I add a new field as 'env' using rex and then have to use the field value to differentiate the files specific to each env.

Thulasinathan_M · ‎06-12-2023

Thank you, it did the trick 🙂

ITWhisperer · ‎06-12-2023

Essentially, you can't pass values from the outer search to the inner search, this is because, in general, the inner search is executed before the outer search.

One exception to this is the map command. However, the search which is executed for each event, replaces the event with its results.

You may be able to use this by doing the test first and use inputlookup to load the relevant csv file, then append your main search as a subsearch, then use stats to join your result to event from the lookup.

How to use field value from outer query in inputlookup?

eval

join

lookup

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation