Splunk Search

query help inputlookup map

Communicator
| rest /services/authentication/users splunk_server=local 
| search 
    [| rest /services/authentication/current-context 
    | rename username as title 
    | fields title] 
| eval title=upper(title) 
| lookup employeeinfo.csv RACF_ID as title output EMPLOYEE_FULL_NAME 
| lookup rolesnames.csv "Delivery Manager" as EMPLOYEE_FULL_NAME output "Delivery Area" as area 
| where EMPLOYEE_FULL_NAME="abcd" 
| map 
    [| inputlookup EPerformanceData.csv 
    | search "Sub Division 6"="$area$" 
    | stats count  by "Sub Division 5" 
    | eval "% Completed"=((Completed/'Total to be Complete')*100) 
    | eval "% Completed"=round('% Completed',2) 
    | rename "Sub Division 5" as "Business Area"]

This patch of code works well. Now my requirement is i need to add once more inpulookupfile saying dates.csv which i need to use in this query like |inpulookup dates.csv |search Quarter=$quarter$ and here the $quarter$` values comes from the selected dropdown.

But where ever i try to include the above line of code either i get error or my previous tokens like area doesn't get the required value.
So please help me with thequery.

Thanks

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

Try to use |inpulookup dates.csv where Quarter="$quarter$", might be the token value is set to empty and the replacement causes an syntax error in the query, so enclose the token value in double quotes.

0 Karma

Path Finder

Did you try to add token's value in an eval and try to call it on your new inputlookup by eval?

0 Karma

Path Finder

Let me explaine better, In my mind you are trying to do this "| Join [|inpulookup dates.csv |search Quarter=$quarter$]", if your "$quarter$" did not work try "| eval quarterValue="$quarter$"" and then "| Join [|inpulookup dates.csv |search Quarter=quarterValue]"

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!