Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Performing a lookup using a string literal instead of a field name

AlexBryant
Path Finder
‎12-11-2020 09:06 AM

I'm performing a lookup against a csv and need to use two columns (description and function) to return the correct value. However, I have a case where I need to explicitly specify the function, while using a description value from an event. Here's a lookup that works for me:

| lookup products.csv ProductDescription as description, ProductFunction as function OUTPUTNEW Name as ProductName

What I need to do is this:

| lookup products.csv ProductDescription as description, ProductFunction as "Kitchen Appliance" OUTPUTNEW Name as ProductName

When the event happens to contain "Kitchen Appliance" as the function, the lookup works, but if I explicitly specify "Kitchen Appliance" as the lookup value, nothing is returned. Is this usage supported?

 

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2020 12:11 PM

I've never seen that usage so you could be trying something that is not supported.  Have you tried assigning the literal to a field before the lookup?

 

...
| eval KA="Kitchen Appliance"
| lookup products.csv ProductDescription as description, ProductFunction as KA OUTPUTNEW Name as ProductName

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AlexBryant
Path Finder
‎12-11-2020 01:52 PM

Yep, assigning the literal value with an eval beforehand definitely works, and that's how I have it currently running, but I was hoping I could avoid that step. The docs only refer to a field value being used in the command and not a string, so I agree, it may be unsupported.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...