Can lookups be made conditional on the value of a ...

jambajuice · ‎01-18-2011

Is it possible to make a lookup run only when the value of a field is null or some other value?

Thx.

Craig

Lowell · ‎01-18-2011

Basically, if you hide (or remove) the input field used your lookup, then the lookup for a specific event isn't executed because there is no value to lookup. That makes sense. You can leverage this behavior to do a conditional lookup by conditionally hiding the lookup input field before you call lookup. I think and example would be helpful.

Let's say your base lookup search looks like this:

 ... | lookup mylookup code OUTPUT desc | ...

So lookup is using the "mylookup" lookup table, "code" is the input field and the lookup returns a "desc" field.

Now, let's say you have a field called "bool" that enabled/disables this lookup. (The lookup is enabled when "bool=1"). Then you can use a search like this:

 ... | eval _copy_code=code
     | eval code=if(bool==1, code, null())
     | lookup mylookup code OUTPUT desc
     | rename _copy_code as copy
     | ...

Note: If you don't need to preserve "code" then you can drop out the first and last search commands.

The following question & answer may help too:

http://answers.splunk.com/questions/4079/making-a-lookup-optional-or-how-to-build-a-multi-level-look...

Can lookups be made conditional on the value of a field?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application