Splunk Search

eval an existing field which is used for a lookup...

ndcl
Path Finder

Hi Base,
when I do an eval on an existing field which is also used for a lookup than the lookup ignores the eval result and use the origin instead.
f.e. I have IP addresses from 2 fields fieldIpA and fieldIpB and I combine them

| eval fieldIpA=coalesce(fieldIpA,fieldIpB)

If I do a “stats list(fieldIpA)” I will get a list with the results from both. If I do a lookup to resolve the IP to something else:

| lookup IPDes Description as rIPs

Then the lookup only return the results from fieldIpA.
If I add to the probs.conf declaration:

LOOKUP-< rIP> = fieldIpA AS tIP OUTPUT Description as rIPs

and do the eval with the tIP field than I get empty results and no lookup.
How it is possible to get the lookup to work?

Thanks!

0 Karma
1 Solution

ndcl
Path Finder

2 lookups doing the job. Declare a lookup for both fields in prop.conf:

LOOKUP-< rIPA> = aLOIP AS fieldIpA OUTPUT Description as ArIPs
LOOKUP-< rIPB> = bLOIP AS fieldIpB OUTPUT Description as BrIPs

Point the lookups to the same file in transforms.conf:

[aLOIP]
filename = ip_Des.csv
[bLOIP]
filename = ip_Des.csv

Now the Search look like this:

... | lookup aLOIP Description as ArIPs | lookup bLOIP Description as BrIPs | eval NewrIPs=coalesce(ArIPs,BrIPs) | stats list(NewrIPs)

If you want you can skip the Description part in the lookup.

View solution in original post

0 Karma

ndcl
Path Finder

2 lookups doing the job. Declare a lookup for both fields in prop.conf:

LOOKUP-< rIPA> = aLOIP AS fieldIpA OUTPUT Description as ArIPs
LOOKUP-< rIPB> = bLOIP AS fieldIpB OUTPUT Description as BrIPs

Point the lookups to the same file in transforms.conf:

[aLOIP]
filename = ip_Des.csv
[bLOIP]
filename = ip_Des.csv

Now the Search look like this:

... | lookup aLOIP Description as ArIPs | lookup bLOIP Description as BrIPs | eval NewrIPs=coalesce(ArIPs,BrIPs) | stats list(NewrIPs)

If you want you can skip the Description part in the lookup.

0 Karma

ndcl
Path Finder

the problem ask here was the lookup, not the coalesce and in my case it match exact to the definition.

Thanks

0 Karma

linu1988
Champion

Are you sure its right? It may work for now, but you will not get "BrIPs" ever if the "ArIPs" value is not NULL. Please follow the definition of coalesce carefully. Thanks.

0 Karma

ndcl
Path Finder

It seems that I was not exact enough. Of cause I get the values of fieldIpA that´s my intension, but if I use it in that way as you suggested:

“| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)”

than I´m back at the starting point of the problem. The values of fieldIpA are from before the processing via eval and the lookup comes after the eval. I think that the lookup will be built before search time and the eval will cast the field to a new variable that lookup do not “see”. I should better create 2 lookups and combine the result fields

Thanks

0 Karma

linu1988
Champion

Yes it will always return the value of fieldIpA if its not Null at any place. That's the job of coalesce function. if you want both of them then you have to do the below query.

table fieldIpA,fieldIpB| lookup LtDes fieldIpA |lookup LtDes fieldIpB as fieldIpA|stats list(fieldIpA,fieldIpB).

Lets hope it gives you the result.

0 Karma

ndcl
Path Finder

Ok my fault: I miised the IPDes but it was there so:

LOOKUP-< rIP> = IPDes fieldIpA OUTPUT Description as rIPs

ist the correct line. The search:

| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)

worked but with the same result than before: Only values from fieldIpA

0 Karma

linu1988
Champion

it should be

prop.conf I declare IPDes:
LOOKUP-< rIP> = LtDes fieldIpA OUTPUTNEW rIPs

| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)

please give correct column name in lookup table.
Have fieldIpA,rIPs as lookup fields, that should do the job for you.

0 Karma

ndcl
Path Finder

the origin search looks similar to this:

...| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup IPDes Description as rIPs | stats list(fieldIpA)

In prop.conf I declare IPDes:
LOOKUP-< rIP> = fieldIpA OUTPUT Description as rIPs

the lookup filed have the same name than the field.

and transforms.conf:
[LtDes]
filename = ip_Des.csv

If I use this syntax: "lookup fieldIpA as fieldIpA" throws an error: not such a lookup. right after the lookup the lookup name is needed.

0 Karma

linu1988
Champion

Could you share the search query? after the eval fieldIpA=coalesce(fieldIpA,fieldIpB)|lookup fieldIpA as Lookuptable_field should give you the result.

0 Karma

linu1988
Champion

Are you doing the eval to same field and assigning to itself? Assign it to some other variable if you are using for other purposes. Try doing the lookup after the eval is done and you have the final result for the field. And while calling lookup try to specify the field names

e.g. |lookup search_field as lookup_field

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...