Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can lookups be made conditional on the value of a field?

jambajuice
Communicator
‎01-18-2011 04:42 AM

Is it possible to make a lookup run only when the value of a field is null or some other value?

Thx.

Craig

Tags (1)
Reply

Lowell
Super Champion
‎01-18-2011 07:38 PM

Basically, if you hide (or remove) the input field used your lookup, then the lookup for a specific event isn't executed because there is no value to lookup. That makes sense. You can leverage this behavior to do a conditional lookup by conditionally hiding the lookup input field before you call lookup. I think and example would be helpful.

Let's say your base lookup search looks like this:

 ... | lookup mylookup code OUTPUT desc | ...

So lookup is using the "mylookup" lookup table, "code" is the input field and the lookup returns a "desc" field.

Now, let's say you have a field called "bool" that enabled/disables this lookup. (The lookup is enabled when "bool=1"). Then you can use a search like this:

 ... | eval _copy_code=code
     | eval code=if(bool==1, code, null())
     | lookup mylookup code OUTPUT desc
     | rename _copy_code as copy
     | ...

Note: If you don't need to preserve "code" then you can drop out the first and last search commands.

The following question & answer may help too:

http://answers.splunk.com/questions/4079/making-a-lookup-optional-or-how-to-build-a-multi-level-look...

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...