I have defined a token "$command$, this happens to be a command name. The command is currently the curl command. I wish to use this token in a dashboard to use the command name as the lookup name. As I wish to return fields, values about a command uniquely.
As an example
lookup $command$ option as switch
This does not work, I get error
Error in 'lookup' command: Lookups: Could not construct lookup 'cat, option, as, switch'. See search.log for more details.
I suspect this is not possible but wondered if the community if it is possible? Or if anyone can suggest a away to dynamically populate the lookup name based on field values.
There are a couple different curl SPL commands out there. Check splunkbase for "curl".
But it looks like you're trying to add Linux shell commands to the lookup and that's not going to work
While tokens can be used to replace text in many places, the replacement must be valid SPL. The lookup
command takes the name of the lookup table as its first argument. In this example, for the token to work it must contain an existing lookup table name. If $command$ contains "curl https://splunk.com", for example, the resulting command becomes lookup curl https://splunk.com option as switch
, which will fail not only because 'curl' is unlikely to be a lookup name, but "https://splunk.com" cannot be the name of a field in a lookup.
It is not possible to use arbitrary commands with lookup
to get data from other sources.
So just to confirm. The command curl is just a string i.e. the word curl. It could be any word really derived from a field. It would be single word, no spaces.
The string still must represent an existing lookup definition. The remaining arguments to the lookup command must be valid field names in the referenced lookup.