Performing a lookup using a string literal instead...

AlexBryant · ‎12-11-2020

I'm performing a lookup against a csv and need to use two columns (description and function) to return the correct value. However, I have a case where I need to explicitly specify the function, while using a description value from an event. Here's a lookup that works for me:

| lookup products.csv ProductDescription as description, ProductFunction as function OUTPUTNEW Name as ProductName

What I need to do is this:

| lookup products.csv ProductDescription as description, ProductFunction as "Kitchen Appliance" OUTPUTNEW Name as ProductName

When the event happens to contain "Kitchen Appliance" as the function, the lookup works, but if I explicitly specify "Kitchen Appliance" as the lookup value, nothing is returned. Is this usage supported?

richgalloway · ‎12-11-2020

I've never seen that usage so you could be trying something that is not supported. Have you tried assigning the literal to a field before the lookup?

...
| eval KA="Kitchen Appliance"
| lookup products.csv ProductDescription as description, ProductFunction as KA OUTPUTNEW Name as ProductName

---
If this reply helps you, Karma would be appreciated.

AlexBryant · ‎12-11-2020

Yep, assigning the literal value with an eval beforehand definitely works, and that's how I have it currently running, but I was hoping I could avoid that step. The docs only refer to a field value being used in the command and not a string, so I agree, it may be unsupported.

Performing a lookup using a string literal instead of a field name

lookup

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout