Re: Better search query way in terms of performanc...

N92 · ‎09-03-2019

I have below search criteria so let me know best way for this.

base search (which have output in table format) [table sourcetype def ghi]
sourcetype= 1 check with static lookup and store respective result in "ghi" field
sourcetype= 2 check with static lookup and store respective result in "ghi" field

tscroggins · ‎09-03-2019

Create a simple lookup file, e.g. sourcetype_ghi_lookup.csv, with two fields, sourcetype and ghi. E.g. For sourcetype=1 and sourcetype=2:

sourcetype,ghi
1,"some ghi value"
2,"another ghi value"

| lookup sourcetype_ghi_lookup.csv sourcetype output ghi

You can use the file in both a lookup and automatic lookup definition to omit the lookup command in searches and populate the ghi field automatically.

somesoni2 · ‎09-03-2019

Give this a try

your base search
| lookup yourSourcetype1lookup.csv fieldName OUTPUT ghi as ghi1
| lookup yourSourcetype2lookup.csv fieldName OUTPUT ghi as ghi2
| eval ghi=iff(sourcetype="sourcetype1", ghi1,ghi2) | fields - ghi1 ghi2

N92 · ‎09-03-2019

It works. Thanks @somesoni2

jpolvino · ‎09-03-2019

Can you please provide samples of what your table represents, and what you want to do with the two sourcetype lines you mention?

N92 · ‎09-03-2019

| table dest user source sourcetype result
| lookup users.csv users as user OUTPUT host_name as result
| lookup users.csv source as user OUTPUT host_name as result

For both the lookup condition I am try to distinguish with sourcetype condition.

Better search query way in terms of performance

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life