Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to do Lookup via Calculated Field

DariusNG
Engager
‎09-24-2021 02:35 AM

Hi, I am trying to do a Lookup with a calculated field.

Details:

I have a csv containing three coloumns:
DomainName,ThreatName,Date

And my base search has a field "DomainName" which contains domains with "www." appended in some of the domains results. 

So I formulated my search like:
base search
| eval calcDomainName = replace(DomainName,"www\.", "")
| lookup iocs_domains DomainName as calcDomainName OUTPUT ThreatName, Date
| table xalcDomainName ThreatName Date

In my Lookup Definition, I have put "no_match" as my default.

However when searched with above, I dont get any fields like "ThreatName", "Date" in my output.

My Lookup is uploaded in search app and permissions are read for everyone. I am also searching the same under Search App only. And I can view contents of my csv with below command under Search & Reporting App:
| inputlookup iocs_domains

I even verified order of processing, in which calculated field preceeds Lookup. 
Unable to understand what am I doing wrong.


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:37 AM

That is not a Calculated Field.  Calculated fields are done automatically rather than via an eval statement in a query.

Have you verified the replace function is working properly?  Another way to make the same change is using the rex command.

| rex field=DomainName mode=sed "s/www\.//"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DariusNG
Engager
‎09-24-2021 06:00 AM

Ok, that clarifies. Yes the the replace is working perfectly.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 06:01 AM

Then please share some sample events and sample lookup table entries so we can help troubleshoot further.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:37 AM

That is not a Calculated Field.  Calculated fields are done automatically rather than via an eval statement in a query.

Have you verified the replace function is working properly?  Another way to make the same change is using the rex command.

| rex field=DomainName mode=sed "s/www\.//"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

DariusNG
Engager
‎09-24-2021 08:13 AM

I replaced eval with rex and things started to work. Seems lookups doesnt work on eval fields.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...