pass value of field from one search to another whe...

nagar57 · ‎01-14-2020

**I have a below search query:**
| inputlookup splunk_report_test.csv 
| where report_type="upcoming_offers" 
| lookup vatson_splunk_report_test_lookup report_type outputnew _key as pKey,email_id,flag 
| appendpipe 
    [| fields email_id,report_type,flag,pKey 
    | dedup pKey 
    | appendpipe 
        [| inputlookup vatson_splunk_report_test_lookup 
        | eval test_flag=if (match(pKey,_key),"close","open") 
        | fields email_id,flag,test_flag,pKey,test_key,report_type 
        | outputlookup test_vatson_test.csv] 
        ] 
| table name,age,country,email_id,flag,pKey,test_flag,pkey_list

My pKey value is not getting passed to the inner most inputlookup query. I need the pkey value passed to my below query:

[| inputlookup vatson_splunk_report_test_lookup 
         | eval test_flag=if (match(pKey,_key),"close","open") 
         | fields email_id,flag,test_flag,pKey,test_key,report_type 
         | outputlookup test_vatson_test.csv] 
         ]

How can I achieve this?
TIA !!

to4kawa · ‎01-14-2020

what's pKey and _key?
Looking your query, both are from same csv.

nagar57 · ‎01-14-2020

lookup vatson_splunk_report_test_lookup is a KeyValue Store which have _key and pKey contains the values just like _key

to4kawa · ‎01-15-2020

There is no information to consider the query.

pass value of field from one search to another when using appendpipe

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL