https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453861#M128426 <P>@seomisp, if you have only two values for type i.e. <CODE>type1</CODE> and <CODE>type2</CODE>, one of the options would be use multisearch command with each type in the filter for respective search.</P> <P>PS: The <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch">multisearch</A> command joins two searches with streaming command without sub-search limitations.</P> <P>Following is a sample search based on your question:</P> <PRE><CODE>index=X | eval t="LT_".type | lookup t type | multisearch [ search index=X type="type1" | lookup LY_type1 type] [ search index=X type="type2" | lookup LY_type2 type] </CODE></PRE> Sat, 27 Oct 2018 15:46:10 GMT niketn 2018-10-27T15:46:10Z https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453860#M128425 <P>I have a few lookup tables that I need to query against. For example:</P> <P>LT_type1<BR /> LT_type2</P> <P>Depending on my search, the type1 or type2 will be different. My initial thought was to build the name of the lookup table on the fly. The "_type1" part of the lookup table name will come from the field "type" of my search on index X. The Lookup table also as a field with the name as the same value as "type":</P> <PRE><CODE>index=X | eval t="LT_".type | lookup t type </CODE></PRE> <P>I get an error saying lookup t doesn't exist. Any ideas how to do this?</P> Tue, 29 Sep 2020 21:49:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453860#M128425 seomisp 2020-09-29T21:49:21Z https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453861#M128426 <P>@seomisp, if you have only two values for type i.e. <CODE>type1</CODE> and <CODE>type2</CODE>, one of the options would be use multisearch command with each type in the filter for respective search.</P> <P>PS: The <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch">multisearch</A> command joins two searches with streaming command without sub-search limitations.</P> <P>Following is a sample search based on your question:</P> <PRE><CODE>index=X | eval t="LT_".type | lookup t type | multisearch [ search index=X type="type1" | lookup LY_type1 type] [ search index=X type="type2" | lookup LY_type2 type] </CODE></PRE> Sat, 27 Oct 2018 15:46:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453861#M128426 niketn 2018-10-27T15:46:10Z https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453862#M128427 <P>"type1" and "type2" was just an example. I have more than 2 types.</P> Mon, 29 Oct 2018 18:23:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453862#M128427 seomisp 2018-10-29T18:23:48Z https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453863#M128428 <P>index=X | eval t="LT_".type <BR /> |stats count by t<BR /> |map maxsearches=10 search="index=X | eval t=$t$ | lookup $t$ type "</P> Sat, 22 Dec 2018 00:19:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-build-a-lookup-table-name-during-runtime-of-the-query/m-p/453863#M128428 valiquet 2018-12-22T00:19:34Z