Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup using temporary dataset?

Mick_OBrien
Path Finder
‎02-27-2023 03:43 AM

I'm trying to add a lookup to enrich results returned from a 'simple' search.  The search command I'm using [and I have limited to one key/value pair] is: -

index=ee_commercialbankingeforms_pcf "*LEVEL=WARN*" | rex "^\S+\s(?<microService>\S+).*MESSAGE=(?<message>.+)" | bucket _time span=day | stats count by microService, message | lookup [ {JIRASummary: "No JWT found on UserPrincipal and no custom JWT claims configured. No nested JWT will be sent in downstream requests!", JIRA: "CBE-968"} ] JIRASummary AS message OUTPUT JIRA

...but I keep seeing following error...

Error in 'SearchParser': Missing a search command before '{'. Error at position '192' of search query 'search index=ee_commercialbankingeforms_pcf "*LEVE...{snipped} {errorcontext = lookup [ {JIRASummar}'.

Can someone explain the error that I see?

Regards

Mick

Labels (2)
Labels
0 Karma
Reply

Mick_OBrien
Path Finder
‎02-27-2023 07:13 AM

From...

lookup command examples - Splunk Documentation

..I see this example...

... | lookup users uid OUTPUTNEW username, department

What I was trying to do was include a temporary dataset...

Datasets - Splunk Documentation

i.e. trying to use same sample data as example then something along the lines of...

... | lookup [ {uid: "1066", username: "Claudia Gasrcia", department: "Engineering" }, {...}, {...} ] uid OUTPUTNEW username, department

...or generally...

search ... | lookup [temporary_dataset] key OUTPUTNEW <lookup_table_fields>

Is this use of lookup and temporary datasets possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-27-2023 07:20 AM

The cited documentation is for SPL2, which cannot be used in a standard search (SPL).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Mick_OBrien
Path Finder
‎02-28-2023 12:00 AM

Sorry - I don't know what you mean by SPL and SPL2?

Is there another way of enriching output results using loopup?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-28-2023 07:10 AM

SPL2 is a revised query language used by Splunk in some of their newer products.  It is not supported in Splunk Enterprise, however.

The standard method for enriching data is by using a lookup table to find information from an event and insert related information from the lookup table.  The general format is

| lookup <lookup> <input field(s)> OUTPUT <output field(s)>

where <lookup> is either a CSV file, a lookup definition, or a KVStore collection
and <input field(s)> is one or more field names from the current results
and <output field(s)> is one or more column names from <lookup>.

See the Search Reference manual for specifics.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-27-2023 05:56 AM

The query contains a subsearch, which is executed before the main search.  The subsearch must be valid SPL, which is not the case here.

{JIRASummary: "No JWT found on UserPrincipal and no custom JWT claims configured. No nested JWT will be sent in downstream requests!", JIRA: "CBE-968"}

is not SPL.  What exactly are you trying to do there?

A subsearch in this location doesn't make much sense.  The lookup command expects the name of a CSV file or defined lookup, which I've never seen come out of a subsearch.  Not that it can't be done, but the subseasrch would have to return a valid lookup argument.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...