Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parsing a variable to a lookup command

maigaard
New Member
‎08-12-2025 06:09 AM

Dear Splunk gurus

I am trying to get the lookup command to accept the lookup table name from a variable. 

Example: 

| eval list2=case(like(llist, "%option1%"), "list_number_1", like(risklist, "%option2%"), "list_number_2")
| lookup list2 Name AS value

So... I successfully get the right lookup name. If I table out the list2 (|table list2), I can see that list2 equals the name of the right lookup ("list_number_1"). So the eval command works as intended. 

If I use "|lookup list_number_1 Name AS value" it works great. 
So the lookup command works as intended. 

But if I use "|lookup list2 Name AS value" it does not work even though "list2" = "list_number_1". 

So it seems the lookup command will not accept a variable even when the variable contains the name of a valid lookup file. 

But can that be true? This works everywhere else in Splunk... 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-12-2025 11:00 PM

No. It doesn't "work everywhere". Some commands support field names as arguments, some don't - they need static values. Additionally dashboards support substituting tokens for values in SPL search but this is done by the dashboard mechanism _before_ the resulting search is spawned so the tokens are being substituted with actual values from the dashboard before the SPL is sent for execution.

To some extent you can sometimes do "dynamic programming" by generating part of your SPL with a subsearch as @bowesmana showed or by using the map command (which is hardly ever the right solution) but most often it's just a case of rethinking your problem.

What is it you want to achieve? If you want to decide dynamically _per event_ which lookup to look up from, that will not work. Splunk doesn't do that. Running a subsearch-based lookup name assignment would yield just one lookup for your whole search.

The right technique here would be to run two lookups sequentially, populating two separate (sets of) fields and then in a subsequent eval assign dynamically the destination field to either of resulting values depending on your logical conditons.

0 Karma
Reply

maigaard
New Member
‎08-12-2025 07:31 AM

What I mean by "this works everywhere else" is that the use of variables as input works elsewhere. 

This is not for a dashboard, but is meant to be used in a saved search. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-12-2025 08:09 PM

The use of variables does not work everywhere, but you can achieve this with a subsearch. If you wrap the eval statement as a subsearch to the lookup command it will work, i.e.

| lookup [ | makeresults | eval list2=case(like(llist, "%option1%"), "list_number_1", like(risklist, "%option2%"), "list_number_2") | return $list2 ] Name as value
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2025 06:37 AM

Please can you give examples of what "this" is as in "This works everywhere else in Splunk"?

Having said that, if this is for use in a dashboard, you may be able to achieve your desired outcome with the use of tokens.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...