Splunk Search
Highlighted

automatic lookup on a field that is automatically looked up

New Member

Is it possible to setup an automatic lookup on a field that is automatically looked up?

For example, if I add the following in the props.conf and have the appropriate lookup tables,

LOOKUP-foo = lookuptablefoo userid AS myuserid OUTPUT username AS myusername
LOOKUP-bar = lookuptablebar usergroup AS myusergroup OUTPUT usergroup AS myusergroup

will the field myusergroup be automatically searchable?

Tags (2)
0 Karma
Highlighted

Re: automatic lookup on a field that is automatically looked up

Path Finder

I assume you meant:
LOOKUP-foo = lookuptablefoo userid AS myuserid OUTPUT username AS myusername
LOOKUP-bar = lookuptablebar username AS myusername OUTPUT usergroup AS myusergroup

Yes, you can use the result of one lookup anywhere after that lookup executed as the OUTPUT data (myusername) will be a regular field accessible to subsequent commands.

You probably want to make sure you get one and only one match from the first lookup. I believe Splunk will return multiple matches as a multikv field, which the subsequent lookup probably won't know what to do with.

View solution in original post

0 Karma
Highlighted

Re: automatic lookup on a field that is automatically looked up

New Member

Thanks stefandagerman for your response.
But I'm still having some troubles. Please correct me if I'm doing something wrong.

In props.conf, I have the following (exactly)
LOOKUP-ip = geoip clientip AS ip OUTPUTNEW client_country AS country
LOOKUP-hq = regionhq name AS country OUTPUTNEW hq AS hq

With the above setting, following search return valid results
| stats count by country
OR
| stats count by country | lookup regionhq name AS country OUTPUT hq | stats sum(count) by hq

But the following does not return any results
| stats count by hq

Any idea where I'm wrong?

0 Karma
Highlighted

Re: automatic lookup on a field that is automatically looked up

Splunk Employee
Splunk Employee

What if you change this:

LOOKUP-hq = regionhq name AS country OUTPUTNEW hq AS hq

to this:

LOOKUP-xhq = regionhq name AS country OUTPUTNEW hq AS hq

I believe these are processed alphabetically in order of lookup name. Since LOOKUP-hq > LOOKUP-ip, you may be running into an order-of-operations issue.

0 Karma
Highlighted

Re: automatic lookup on a field that is automatically looked up

New Member

I have the same issue and wonder how a certain order of processing can be ensured/maintained. Currently only by name/alphabetically?

Same issue with extracted/transformed/calculated fields btw...

It would be nice to see the re-ordering functionality of the data model objects here.

0 Karma