Splunk Search

query help inputlookup map

surekhasplunk
Communicator
| rest /services/authentication/users splunk_server=local 
| search 
    [| rest /services/authentication/current-context 
    | rename username as title 
    | fields title] 
| eval title=upper(title) 
| lookup employeeinfo.csv RACF_ID as title output EMPLOYEE_FULL_NAME 
| lookup rolesnames.csv "Delivery Manager" as EMPLOYEE_FULL_NAME output "Delivery Area" as area 
| where EMPLOYEE_FULL_NAME="abcd" 
| map 
    [| inputlookup EPerformanceData.csv 
    | search "Sub Division 6"="$area$" 
    | stats count  by "Sub Division 5" 
    | eval "% Completed"=((Completed/'Total to be Complete')*100) 
    | eval "% Completed"=round('% Completed',2) 
    | rename "Sub Division 5" as "Business Area"]

This patch of code works well. Now my requirement is i need to add once more inpulookupfile saying dates.csv which i need to use in this query like |inpulookup dates.csv |search Quarter=$quarter$ and here the $quarter$` values comes from the selected dropdown.

But where ever i try to include the above line of code either i get error or my previous tokens like area doesn't get the required value.
So please help me with thequery.

Thanks

Tags (3)
0 Karma

rlalwani_splunk
Splunk Employee
Splunk Employee

Try to use |inpulookup dates.csv where Quarter="$quarter$", might be the token value is set to empty and the replacement causes an syntax error in the query, so enclose the token value in double quotes.

0 Karma

ppatrikfr
Path Finder

Did you try to add token's value in an eval and try to call it on your new inputlookup by eval?

0 Karma

ppatrikfr
Path Finder

Let me explaine better, In my mind you are trying to do this "| Join [|inpulookup dates.csv |search Quarter=$quarter$]", if your "$quarter$" did not work try "| eval quarterValue="$quarter$"" and then "| Join [|inpulookup dates.csv |search Quarter=quarterValue]"

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...