Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup using temporary dataset?

Mick_OBrien
Path Finder
‎02-27-2023 03:43 AM

I'm trying to add a lookup to enrich results returned from a 'simple' search.  The search command I'm using [and I have limited to one key/value pair] is: -

index=ee_commercialbankingeforms_pcf "*LEVEL=WARN*" | rex "^\S+\s(?<microService>\S+).*MESSAGE=(?<message>.+)" | bucket _time span=day | stats count by microService, message | lookup [ {JIRASummary: "No JWT found on UserPrincipal and no custom JWT claims configured. No nested JWT will be sent in downstream requests!", JIRA: "CBE-968"} ] JIRASummary AS message OUTPUT JIRA

...but I keep seeing following error...

Error in 'SearchParser': Missing a search command before '{'. Error at position '192' of search query 'search index=ee_commercialbankingeforms_pcf "*LEVE...{snipped} {errorcontext = lookup [ {JIRASummar}'.

Can someone explain the error that I see?

Regards

Mick

Labels (2)
Labels
0 Karma
Reply

Mick_OBrien
Path Finder
‎02-27-2023 07:13 AM

From...

lookup command examples - Splunk Documentation

..I see this example...

... | lookup users uid OUTPUTNEW username, department

What I was trying to do was include a temporary dataset...

Datasets - Splunk Documentation

i.e. trying to use same sample data as example then something along the lines of...

... | lookup [ {uid: "1066", username: "Claudia Gasrcia", department: "Engineering" }, {...}, {...} ] uid OUTPUTNEW username, department

...or generally...

search ... | lookup [temporary_dataset] key OUTPUTNEW <lookup_table_fields>

Is this use of lookup and temporary datasets possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-27-2023 07:20 AM

The cited documentation is for SPL2, which cannot be used in a standard search (SPL).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Mick_OBrien
Path Finder
‎02-28-2023 12:00 AM

Sorry - I don't know what you mean by SPL and SPL2?

Is there another way of enriching output results using loopup?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-28-2023 07:10 AM

SPL2 is a revised query language used by Splunk in some of their newer products.  It is not supported in Splunk Enterprise, however.

The standard method for enriching data is by using a lookup table to find information from an event and insert related information from the lookup table.  The general format is

| lookup <lookup> <input field(s)> OUTPUT <output field(s)>

where <lookup> is either a CSV file, a lookup definition, or a KVStore collection
and <input field(s)> is one or more field names from the current results
and <output field(s)> is one or more column names from <lookup>.

See the Search Reference manual for specifics.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-27-2023 05:56 AM

The query contains a subsearch, which is executed before the main search.  The subsearch must be valid SPL, which is not the case here.

{JIRASummary: "No JWT found on UserPrincipal and no custom JWT claims configured. No nested JWT will be sent in downstream requests!", JIRA: "CBE-968"}

is not SPL.  What exactly are you trying to do there?

A subsearch in this location doesn't make much sense.  The lookup command expects the name of a CSV file or defined lookup, which I've never seen come out of a subsearch.  Not that it can't be done, but the subseasrch would have to return a valid lookup argument.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...