Solved: Re: values from lookup are not filled into map

Deniz_Oe · ‎08-13-2020

Hey!

So I have been trying to use inputlookup on a long CSV list of addresses to perform a search for each adress. I came up with the following:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$
| table eventtype,$voucher$"

It returns all the eventtypes I want, but I loose the information of which address (or voucher) was used for getting each of them. So I ideally want something like this:

Voucher = SomeVoucher, Eventtype= a,b,c,d

But I only get the Eventtype bit.

Edit:

I tried the following but it didn't work:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = $voucher$| table voucher, eventtype"

Also when I put $voucher$ in double quotes, it just keeps filling the new voucher field with blanks.

Any Idea?

Deniz_Oe · ‎08-13-2020

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"

View solution in original post

Deniz_Oe · ‎08-13-2020

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"

values from lookup are not filled into map

field extraction

lookup

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!