Splunk Search

lookup against an extracted field

Contributor

Is it possible to have a lookup table keyed off of an extracted field?

Given the props:

``````[foo]
EXTRACT-bu = ^(?<bu>.{5})\- in host
LOOKUP-bu = bu_fields bu
``````

and the transforms:

``````[bu_fields]
filename = buFields.csv
``````

Should this work?

I believe the lookuptable is there, because this works as expected:

``````sourcetype="foo" | lookup bu_fields bu
``````
Tags (2)
Splunk Employee

Yes of course. In fact almost all fields are extracted, so this is what lookups normally do. Generally, the order at search time is:

1. KV_MODE
2. EXTRACT
3. REPORT
4. FIELDALIAS
5. LOOKUP
Splunk Employee

This answer was written before calculated fields. Now that we have calculated fields: 4.5 = EVAL (calculated fields)

Contributor

I think an indexed field is the answer in this case.

Splunk Employee

or by using `where` or `search` after the initial search, or by creating an indexed field.

Splunk Employee

well, actually, are you trying to do a reverse lookup? that won't work if the extracted value is not from the `_raw` field, and yours is from `host`. the forward lookup should work okay though. You can make it work with much-diminished performance by setting INDEXED_VALUE = false in fields.conf for the `bu` field.

Path Finder

Yeah, I've made it work with another test, so something is weird in that config.

Looks like I'll need to make an indexed field out of bu if I want to search against the fields in the lookup, though.