I have below search criteria so let me know best way for this.
base search (which have output in table format) [table sourcetype def ghi]
sourcetype= 1 check with static lookup and store respective result in "ghi" field
sourcetype= 2 check with static lookup and store respective result in "ghi" field
Create a simple lookup file, e.g. sourcetype_ghi_lookup.csv, with two fields, sourcetype and ghi. E.g. For sourcetype=1 and sourcetype=2:
sourcetype,ghi
1,"some ghi value"
2,"another ghi value"
| lookup sourcetype_ghi_lookup.csv sourcetype output ghi
You can use the file in both a lookup and automatic lookup definition to omit the lookup command in searches and populate the ghi field automatically.
Give this a try
your base search
| lookup yourSourcetype1lookup.csv fieldName OUTPUT ghi as ghi1
| lookup yourSourcetype2lookup.csv fieldName OUTPUT ghi as ghi2
| eval ghi=iff(sourcetype="sourcetype1", ghi1,ghi2) | fields - ghi1 ghi2
It works. Thanks @somesoni2
Can you please provide samples of what your table represents, and what you want to do with the two sourcetype lines you mention?
| table dest user source sourcetype result
| lookup users.csv users as user OUTPUT host_name as result
| lookup users.csv source as user OUTPUT host_name as result
For both the lookup condition I am try to distinguish with sourcetype condition.