Splunk Search

values from lookup are not filled into map

Deniz_Oe
Explorer

Hey!

 

So I have been trying to use inputlookup on a long CSV list of addresses to perform a search for each adress. I came up with the following: 

 

 

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$
| table eventtype,$voucher$"

 

 

It returns all the eventtypes I want, but I loose the information of which address (or voucher) was used for getting each of them. So I ideally want something like this:

Voucher = SomeVoucher, Eventtype= a,b,c,d

 

But I only get the Eventtype bit.

 

Edit:

I tried the following but it didn't work:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = $voucher$| table voucher, eventtype"

Also when I put $voucher$ in double quotes, it just keeps filling the new voucher field with blanks. 

Any Idea?

Labels (3)
0 Karma
1 Solution

Deniz_Oe
Explorer

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"

View solution in original post

0 Karma

Deniz_Oe
Explorer

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!