Solved: Is it possible to use a search value or a token in...

iKate · ‎07-07-2016

Hi!

Is it possible to pass into lookup's name created by outputlookup command a token or a search value?

Smth like this:

index=foo 
| eval week=<here comes some evaluation, e.g. number of week>
| outputlookup dataset_$week$.csv

I've tried to write it differently, but outputlookup eats all sorts of symbols and just creates files with $ ' " ` in its name while I wanted dataset_15.csv

ryanoconnor · ‎07-07-2016

The map command should be able to handle this. For example:

index=* host=sample_host | dedup host  | map search="search * | outputlookup $host$.csv"

View solution in original post

ryanoconnor · ‎07-07-2016

The map command should be able to handle this. For example:

index=* host=sample_host | dedup host  | map search="search * | outputlookup $host$.csv"

iKate · ‎07-07-2016

Wow! It works, thank you!

Is it possible to use a search value or a token in the outputlookup name?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?

Is it possible to use a search value or a token in the outputlookup name?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management