Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use lookup output to use as another lookup file name?

rita_25
Loves-to-Learn
‎04-15-2022 05:07 PM

Hi, I've been trying to use the output from a lookup as input to another lookup. In the first lookup i have the name of the files to search:

I have a query with field names on a column like this: 

field1   
name1
name2

 then, i search field1 in a lookup with a column with file names like this:

| lookup wheretosearch.csv field1 OUTPUTNEW lookup_name

 my lookup wheretosearch.csv looks like this

field1     lookup_name
name1       name1_lookup.csv
name2       name2_lookup.csv

 Then, I need that field lookup_name to search in a lookup for each row:

| lookup lookup_name ....

But obviously, this is not possible because the variable lookup_name is not the name of a csv file. How can i do this? 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-15-2022 10:11 PM

Short answer is - you can't. Not within a single search.

Long answer - The search pipeline is parsed at the beginning of the search. All macros and variables are expanded into static values, subsearches are evaluated and rendered into static vales as well. So you can't just dynamically "choose" which lookup to use at that point of your search. The lookup command definition and syntax says that you need an explicitly given lookup name as well as set of input and output fields. So there is no place for "variability" in the search itself.

What you can do - if you have only two or three search variants - is to run all of the searches outputting the results to different fields or sets of fields and after that conditonally evakuate your main result field to be one of those looked up fields. Not very pretty  but should work. You can also use the map command to spawn separate search for each result of your primary search. Then you could indeed use a variable lookup name since each pass of the lookup call would be from a separate search but - especially if your result has mor than a few resultin event - it's a horrible idea performance-wise since you're spawning new searches.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...