Solved: Is it possible to use a search value or a token in...

iKate · ‎07-07-2016

Hi!

Is it possible to pass into lookup's name created by outputlookup command a token or a search value?

Smth like this:

index=foo 
| eval week=<here comes some evaluation, e.g. number of week>
| outputlookup dataset_$week$.csv

I've tried to write it differently, but outputlookup eats all sorts of symbols and just creates files with $ ' " ` in its name while I wanted dataset_15.csv

ryanoconnor · ‎07-07-2016

The map command should be able to handle this. For example:

index=* host=sample_host | dedup host  | map search="search * | outputlookup $host$.csv"

View solution in original post

ryanoconnor · ‎07-07-2016

The map command should be able to handle this. For example:

index=* host=sample_host | dedup host  | map search="search * | outputlookup $host$.csv"

iKate · ‎07-07-2016

Wow! It works, thank you!

Is it possible to use a search value or a token in the outputlookup name?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

Is it possible to use a search value or a token in the outputlookup name?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...