Splunk Search

automatic lookup on a field that is automatically looked up

dukkyook
New Member

Is it possible to setup an automatic lookup on a field that is automatically looked up?

For example, if I add the following in the props.conf and have the appropriate lookup tables,

LOOKUP-foo = lookuptablefoo userid AS myuserid OUTPUT username AS myusername
LOOKUP-bar = lookuptablebar usergroup AS myusergroup OUTPUT usergroup AS myusergroup

will the field myusergroup be automatically searchable?

Tags (2)
0 Karma
1 Solution

stefandagerman
Path Finder

I assume you meant:
LOOKUP-foo = lookuptablefoo userid AS myuserid OUTPUT username AS myusername
LOOKUP-bar = lookuptablebar username AS myusername OUTPUT usergroup AS myusergroup

Yes, you can use the result of one lookup anywhere after that lookup executed as the OUTPUT data (myusername) will be a regular field accessible to subsequent commands.

You probably want to make sure you get one and only one match from the first lookup. I believe Splunk will return multiple matches as a multikv field, which the subsequent lookup probably won't know what to do with.

View solution in original post

0 Karma

fDK
New Member

I have the same issue and wonder how a certain order of processing can be ensured/maintained. Currently only by name/alphabetically?

Same issue with extracted/transformed/calculated fields btw...

It would be nice to see the re-ordering functionality of the data model objects here.

0 Karma

jervin_splunk
Splunk Employee
Splunk Employee

What if you change this:

LOOKUP-hq = regionhq name AS country OUTPUTNEW hq AS hq

to this:

LOOKUP-xhq = regionhq name AS country OUTPUTNEW hq AS hq

I believe these are processed alphabetically in order of lookup name. Since LOOKUP-hq > LOOKUP-ip, you may be running into an order-of-operations issue.

0 Karma

stefandagerman
Path Finder

I assume you meant:
LOOKUP-foo = lookuptablefoo userid AS myuserid OUTPUT username AS myusername
LOOKUP-bar = lookuptablebar username AS myusername OUTPUT usergroup AS myusergroup

Yes, you can use the result of one lookup anywhere after that lookup executed as the OUTPUT data (myusername) will be a regular field accessible to subsequent commands.

You probably want to make sure you get one and only one match from the first lookup. I believe Splunk will return multiple matches as a multikv field, which the subsequent lookup probably won't know what to do with.

0 Karma

dukkyook
New Member

Thanks stefandagerman for your response.
But I'm still having some troubles. Please correct me if I'm doing something wrong.

In props.conf, I have the following (exactly)
LOOKUP-ip = geoip clientip AS ip OUTPUTNEW client_country AS country
LOOKUP-hq = regionhq name AS country OUTPUTNEW hq AS hq

With the above setting, following search return valid results
| stats count by country
OR
| stats count by country | lookup regionhq name AS country OUTPUT hq | stats sum(count) by hq

But the following does not return any results
| stats count by hq

Any idea where I'm wrong?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...