Solved: Re: values from lookup are not filled into map

Deniz_Oe · ‎08-13-2020

Hey!

So I have been trying to use inputlookup on a long CSV list of addresses to perform a search for each adress. I came up with the following:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$
| table eventtype,$voucher$"

It returns all the eventtypes I want, but I loose the information of which address (or voucher) was used for getting each of them. So I ideally want something like this:

Voucher = SomeVoucher, Eventtype= a,b,c,d

But I only get the Eventtype bit.

Edit:

I tried the following but it didn't work:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = $voucher$| table voucher, eventtype"

Also when I put $voucher$ in double quotes, it just keeps filling the new voucher field with blanks.

Any Idea?

Deniz_Oe · ‎08-13-2020

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"

View solution in original post

Deniz_Oe · ‎08-13-2020

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"

values from lookup are not filled into map

field extraction

lookup

subsearch

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?