Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using a token to define a lookup name.

pbryant_splunk
Splunk Employee
Splunk Employee
‎06-07-2019 04:38 AM

I have defined a token "$command$, this happens to be a command name. The command is currently the curl command. I wish to use this token in a dashboard to use the command name as the lookup name. As I wish to return fields, values about a command uniquely.
As an example

lookup $command$ option as switch

This does not work, I get error

Error in 'lookup' command: Lookups: Could not construct lookup 'cat, option, as, switch'. See search.log for more details.

I suspect this is not possible but wondered if the community if it is possible? Or if anyone can suggest a away to dynamically populate the lookup name based on field values.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-10-2019 04:37 AM

There are a couple different curl SPL commands out there. Check splunkbase for "curl".

But it looks like you're trying to add Linux shell commands to the lookup and that's not going to work

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-08-2019 03:47 PM

While tokens can be used to replace text in many places, the replacement must be valid SPL. The lookup command takes the name of the lookup table as its first argument. In this example, for the token to work it must contain an existing lookup table name. If $command$ contains "curl https://splunk.com", for example, the resulting command becomes lookup curl https://splunk.com option as switch, which will fail not only because 'curl' is unlikely to be a lookup name, but "https://splunk.com" cannot be the name of a field in a lookup.

It is not possible to use arbitrary commands with lookup to get data from other sources.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

pbryant_splunk
Splunk Employee
Splunk Employee
‎06-10-2019 03:26 AM

So just to confirm. The command curl is just a string i.e. the word curl. It could be any word really derived from a field. It would be single word, no spaces.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-10-2019 04:21 AM

The string still must represent an existing lookup definition. The remaining arguments to the lookup command must be valid field names in the referenced lookup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...