Splunk Search

Performing a lookup using a string literal instead of a field name

AlexBryant
Path Finder

I'm performing a lookup against a csv and need to use two columns (description and function) to return the correct value. However, I have a case where I need to explicitly specify the function, while using a description value from an event. Here's a lookup that works for me:

| lookup products.csv ProductDescription as description, ProductFunction as function OUTPUTNEW Name as ProductName

What I need to do is this:

| lookup products.csv ProductDescription as description, ProductFunction as "Kitchen Appliance" OUTPUTNEW Name as ProductName

When the event happens to contain "Kitchen Appliance" as the function, the lookup works, but if I explicitly specify "Kitchen Appliance" as the lookup value, nothing is returned. Is this usage supported?

 

 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've never seen that usage so you could be trying something that is not supported.  Have you tried assigning the literal to a field before the lookup?

 

...
| eval KA="Kitchen Appliance"
| lookup products.csv ProductDescription as description, ProductFunction as KA OUTPUTNEW Name as ProductName

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

AlexBryant
Path Finder

Yep, assigning the literal value with an eval beforehand definitely works, and that's how I have it currently running, but I was hoping I could avoid that step. The docs only refer to a field value being used in the command and not a string, so I agree, it may be unsupported.

0 Karma