Solved: add additional fields to lookup

bsteelz93 · ‎06-06-2011

I have a data set that I am running a search on. From this data set I am creating a lookup of domains. I want to take that lookup and search a different set of data. In order to do that I need a second column in order to run a search on the lookup. I want the second column to be something like

baddomain
TRUE

Then I could run the following search on the lookup:
* | lookup domain fld | search baddomain=True

Is there a way to add the second column during the search? Is there a better way to accomplish what I am trying to do?

hazekamp · ‎06-06-2011

bsteelz,

It is extremely easy to add static k-v pairs to a results set before outputting to your lookup. This can be achieved using the "eval" search command. For example,

## Lookup Generating Search
<your search> | fields + domain | eval is_bad="true" | outputlookup bad_domain_lookup

## This gives you a "bad_domain_lookup" with:
domain,is_bad
somedomain,true

## Using Lookup
<your other search> | lookup bad_domain_lookup domain OUTPUT is_bad | search is_bad="true"

View solution in original post

hazekamp · ‎06-06-2011

bsteelz,

It is extremely easy to add static k-v pairs to a results set before outputting to your lookup. This can be achieved using the "eval" search command. For example,

## Lookup Generating Search
<your search> | fields + domain | eval is_bad="true" | outputlookup bad_domain_lookup

## This gives you a "bad_domain_lookup" with:
domain,is_bad
somedomain,true

## Using Lookup
<your other search> | lookup bad_domain_lookup domain OUTPUT is_bad | search is_bad="true"

add additional fields to lookup

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake