Re: Can eval if match be used with inputlookup?

chrisfrigo · ‎01-27-2015

So what I'm trying trying to achieve is searching a field for contained in a CSV file, not an exact match. I can do this with single word using

| eval catch=if(match(field123,"contain-word"),"matches","other") | search catch=matches

but wondering if there's some way of using inputlookups or if anyone can recommend another way to search a field containing with a input file. This is what I have tried.

| eval catch=if(match(field123,"[| inputlookup input-file]"),"matches","other") | search catch=matches

Raghav2384 · ‎01-27-2015

Try this logic...

...base search [|inputlookup xyz.csv|eval Catch = if(match(field1,"matching term"),"match","other")|where Catch = "match"|fields Field_i_need_from_lookup]

So basically, you are applying the match function on lookup first and retrieving needed field where Catch = Match and passing it to the parent search.

Hope this helps.

Thanks,
Raghav

chrisfrigo · ‎01-27-2015

hmmm... the matching terms are the text contained in the CSV so not sure this will work.

chrisfrigo · ‎01-27-2015

I'm trying to search words contained in a CSV file in a particular field, hence why I was trying to use inputlookup in the match criteria.

Can eval if match be used with inputlookup?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor