Different lookup csv depending on field value

chrkohm · ‎05-19-2020

Hi,
I´m trying to lookup different csv-files depending on an field-Value.
But it seems to be a problem for the lookup command to handle an variable as lookup-csv-file.

index=yxz
| search model="123"
| eval lookupfile=case(model == 123, "123_lookup.csv", model == 456, "456_lookup.csv", model == 789, "789_lookup.csv")
| lookup lookupfile ErrorCode

I´m getting this Error Message:

Error in 'lookup' command: Could not construct lookup 'lookupfile, ErrorCode'. See search.log for more details.

Can someone help me with this?

jkat54 · ‎05-19-2020

The only way I ever got this "case for dynamic lookups" to work was by using a dashboard and setting a token with the eval in a drop down, and then I used the token in my search in my dashboard panel.

richgalloway · ‎05-19-2020

I'm pretty sure lookup won't take a field name, but try this before giving up.

| lookup 'lookupfile' ErrorCode

---
If this reply helps you, Karma would be appreciated.

Different lookup csv depending on field value

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25

Are you a member of the Splunk Community?

Different lookup csv depending on field value

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25