Wasn't sure how title this one. We are to do feed multiple different events into same dashboards interfaces built in sideview. I would like to be able to stream multiple types of events into same interface where I lookup which field should be displayed in DISPLAY_FIELD....
search (returning events with a TYPE field which dictates which field DISPLAY_FIELD should be set to... )
| eval DISPLAY_FIELD=case(TYPE=TYPE1, DISPLAY_FIELD1, TYPE=TYPE2, DISPLAY_FIELD2, , TYPE=TYPE3, DISPLAY_FIELD3,...)
Would like to figure out how to replace case with a lookup
| lookup DISPLAY_FIELD_NAMES TYPE OUTPUT DISPLAY_FIELD_NAME
| eval DISPLAY_FIELD=value(DISPLAY_FIELD_NAME)
Give this a try
Your base search | stats count by TYPE | lookup DISPLAY_FIELD_NAMES TYPE OUTPUT DISPLAY_FIELD_NAME
| map maxsearches=100 search="Your base search (replace all double quotes with \doublequote| eval DISPLAY_FIELD=$DISPLAY_FIELD_NAME$"
A sample runanywhere example for this is below:
| gentimes start=-1 | eval DisplayField="Last" | map maxsearches=100 search="| gentimes start=-1 | eval First=\"Somesh\" | table First | eval Last=\"Soni\" | eval Result=$DisplayField$"
| eval DisplayField="Last" value to "First" to see the change in Result field value.