Splunk Search

Lookup on Calculated field

Communicator

Hi,
Is it possible to do lookup using a calculated field if yes then what is the procedure?
i tried doing it but not working for me may be i am missing something.

Thanks and Regards

Tags (2)
0 Karma
1 Solution

Influencer

Hi there,

I'm going to assume your calculated field is using stats or eval? - For a better answer, tailored to your issue, it is always best to show the search being used (even if some values are omitted for security reasons).

After you have your "calculated" fields, you may want to rename the fields to a simple format, e.g.

.. | rename count(somefield) AS countSomeField
OR
.. | rename "Some Crazily Formatted_Field(!&$(" AS someField

I have had some issues with fields not looking up properly, but worked once I changed the name being used. As I said to help us help you, please paste in your search and the header row of the CSV file please.

You can also check that Splunk has accepted your lookup configuration by running the following search (replacing the tag as to your needs):

| inputlookup <yourLookupName>

NOTE: The "|" (pipe) should be the first character typed as this is a special search command.

UPDATE: Based on your example...

So to clarify, your CSV has the following header:

pages,modulename

And you wish to link the pages field from your lookup to the extracted module field from your search (as you detailed it as Linkingfield) ? If so try the following:

host="hostname" 
| rex field=msg  "(GET:w+://[^)]+/(?<module>[^)]+.(xap|aspx))"
| lookup <yourLookupFile> page AS module OUTPUT modulename
| table _time host module modulename

You should check out the documentation also... http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

Hope this helps,

View solution in original post

Champion

Yes Chayya, it's possible. But you need to mention a common field data for both the lookup table and output data from query.

Further you need to mention the lookup definition as |inputlookup will not work in the middle of the query. You will definitely get the output if the data matches the lookup table data, your case will workout very well.

Influencer

That's cool.

0 Karma

Champion

Agreed, edited my comment

Influencer

That's not entirely true, you can reference fields when doing the lookup, e.g. someField AS someOtherField.

0 Karma

Influencer

Hi there,

I'm going to assume your calculated field is using stats or eval? - For a better answer, tailored to your issue, it is always best to show the search being used (even if some values are omitted for security reasons).

After you have your "calculated" fields, you may want to rename the fields to a simple format, e.g.

.. | rename count(somefield) AS countSomeField
OR
.. | rename "Some Crazily Formatted_Field(!&$(" AS someField

I have had some issues with fields not looking up properly, but worked once I changed the name being used. As I said to help us help you, please paste in your search and the header row of the CSV file please.

You can also check that Splunk has accepted your lookup configuration by running the following search (replacing the tag as to your needs):

| inputlookup <yourLookupName>

NOTE: The "|" (pipe) should be the first character typed as this is a special search command.

UPDATE: Based on your example...

So to clarify, your CSV has the following header:

pages,modulename

And you wish to link the pages field from your lookup to the extracted module field from your search (as you detailed it as Linkingfield) ? If so try the following:

host="hostname" 
| rex field=msg  "(GET:w+://[^)]+/(?<module>[^)]+.(xap|aspx))"
| lookup <yourLookupFile> page AS module OUTPUT modulename
| table _time host module modulename

You should check out the documentation also... http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

Hope this helps,

View solution in original post

Communicator

Hi,
I want to restrict my regex to first match how can i do that?

0 Karma

Communicator

search
host="hostname" | rex field=msg "(GET:\w+://[^)]+/(?[^)]+.(xap|aspx))"

i want to do lookup on module field extracted in rex

fields in lookup file are
pages(linkingfield) and modulename

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!