How to select 2 different lookup table based on di...

santosh_hb · ‎09-18-2017

Hi Team,

I would like to call different lookup table based on the cloudname in my search query.

For ex:

if cloudname=test1, then call the below search query

else,

if cloudname=test2, then call the below search query

So, my query is, how can I combine both these queries such that if cloudname=test1 then, the first lookup (lookup_test1) is called else, if cloudname=test2 then the second lookup (lookup_test2) is called

regards,
Santosh

DalJeanis · ‎09-18-2017

Since the searches are all inputlookups, we don't have to worry about the expense of the search.

Therefore, we can just add a filter before each of the joins that will kill the records from the other cloud, and then append the two searches together. This assumes the search will be in a panel and there is a token named mycloudtoken that contains either "test1" or "test2"

| inputlookup lookup_test1 
| join type=inner 
    [ | inputlookup info_lookup where cloudname="test1" 
      | where cloudname="$mycloudtoken$"
      | dedup cloudname hostname 
      | rename hostname as host_name 
      | table cloudname host_name 
      ]
| append 
    [ | inputlookup lookup_test2 
      | join type=inner 
        [ | inputlookup info_lookup where cloudname="test2" 
          | where cloudname="$mycloudtoken$"
          | dedup cloudname 
          | table cloudname ] 
      ]
| sort metrics_id 
| table metrics_id host_name

DalJeanis · ‎09-18-2017

Is this going to be in a panel with tokens?

santosh_hb · ‎09-21-2017

yes it will be in the same panel that uses the tokens.

How to select 2 different lookup table based on different cloud name

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes