Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to select 2 different lookup table based on different cloud name

santosh_hb
Explorer
‎09-18-2017 01:36 AM

Hi Team,

I would like to call different lookup table based on the cloudname in my search query.

For ex:

if cloudname=test1, then call the below search query

|inputlookup lookup_test1 | join type=inner [ | inputlookup info_lookup where cloudname=test1 | dedup cloudname hostname | rename hostname as host_name | table cloudname host_name ] | sort metrics_id | table metrics_id host_name

else,

if cloudname=test2, then call the below search query

|inputlookup lookup_test2 | join type=inner [ | inputlookup info_lookup where cloudname=test2 | dedup cloudname | table cloudname ] | sort metrics_id | table metrics_id host_name

So, my query is, how can I combine both these queries such that if cloudname=test1 then, the first lookup (lookup_test1) is called else, if cloudname=test2 then the second lookup (lookup_test2) is called

regards,
Santosh

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎09-18-2017 07:16 AM

Since the searches are all inputlookups, we don't have to worry about the expense of the search.

Therefore, we can just add a filter before each of the joins that will kill the records from the other cloud, and then append the two searches together. This assumes the search will be in a panel and there is a token named mycloudtoken that contains either "test1" or "test2"

| inputlookup lookup_test1 
| join type=inner 
    [ | inputlookup info_lookup where cloudname="test1" 
      | where cloudname="$mycloudtoken$"
      | dedup cloudname hostname 
      | rename hostname as host_name 
      | table cloudname host_name 
      ]
| append 
    [ | inputlookup lookup_test2 
      | join type=inner 
        [ | inputlookup info_lookup where cloudname="test2" 
          | where cloudname="$mycloudtoken$"
          | dedup cloudname 
          | table cloudname ] 
      ]
| sort metrics_id 
| table metrics_id host_name
0 Karma
Reply

DalJeanis
Legend
‎09-18-2017 07:09 AM

Is this going to be in a panel with tokens?

0 Karma
Reply

santosh_hb
Explorer
‎09-21-2017 01:47 AM

yes it will be in the same panel that uses the tokens.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...