Re: pass value of field from one search to another...

nagar57 · ‎01-14-2020

**I have a below search query:**
| inputlookup splunk_report_test.csv 
| where report_type="upcoming_offers" 
| lookup vatson_splunk_report_test_lookup report_type outputnew _key as pKey,email_id,flag 
| appendpipe 
    [| fields email_id,report_type,flag,pKey 
    | dedup pKey 
    | appendpipe 
        [| inputlookup vatson_splunk_report_test_lookup 
        | eval test_flag=if (match(pKey,_key),"close","open") 
        | fields email_id,flag,test_flag,pKey,test_key,report_type 
        | outputlookup test_vatson_test.csv] 
        ] 
| table name,age,country,email_id,flag,pKey,test_flag,pkey_list

My pKey value is not getting passed to the inner most inputlookup query. I need the pkey value passed to my below query:

[| inputlookup vatson_splunk_report_test_lookup 
         | eval test_flag=if (match(pKey,_key),"close","open") 
         | fields email_id,flag,test_flag,pKey,test_key,report_type 
         | outputlookup test_vatson_test.csv] 
         ]

How can I achieve this?
TIA !!

to4kawa · ‎01-14-2020

what's pKey and _key?
Looking your query, both are from same csv.

nagar57 · ‎01-14-2020

lookup vatson_splunk_report_test_lookup is a KeyValue Store which have _key and pKey contains the values just like _key

to4kawa · ‎01-15-2020

There is no information to consider the query.

pass value of field from one search to another when using appendpipe

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms