Hi to all,
I would like to define a dynamic condition into a lookup, which uses the fields defined inside a search, ad evaluate it into a search.
[my_lookup.csv]
service,condition
my_service,a>b
This is what would like to do:
| inputlookup my_lookup.csv
| eval a=3
| eval b=4
| eval result=if(condition,1,0)
Thanks!
@robertosegantin, try the following run anywhere search. The first makeresults
command creates some test data with a and b values. Second makeresults
command mimics lookup table with the following services and search expressions:
service search
less_than a<b
greater_than a>b
equal a=b
not_equal a!=b
Following is the run anywhere search for testing. Keep changing service name from less_than
to something else in the second search.
| makeresults
| eval data="a=1,b=2;a=2,b=2;a=3,b=2"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| fields - _time, _raw
| eval result=if(
[| makeresults
| fields - _time
| eval data="service=\"less_than\",search=\"a<b\";service=\"greater_than\",search=\"a>b\";service=\"equal\",search=\"a=b\";service=\"not_equal\",search=\"a!=b\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| extract pairdelim=,kvdelim="="
| fields - a _raw
| search service="less_than"
| table search],1,0)
Following is the output:
a b result
1 2 1
2 2 0
3 2 0
I tried to semplify your solution.
This works:
| makeresults
| eval a=1
| eval b=2
| eval result=if(
[| makeresults
| eval data="search=a<b"
| rename data as _raw
| extract pairdelim=,kvdelim="="
| table search],1,0)
But unfortunately I am on the following scenario, which does not work:
| makeresults
| eval a=1
| eval b=2
| eval c="a<b"
| eval result=if(
[| makeresults
| eval data="search=".c
| rename data as _raw
| extract pairdelim=,kvdelim="="
| table search],1,0)
@robertosegantin do you want to apply dynamic condition from the lookup or based on the condition applied you need to pull some other information from lookup. Your question seemed to be the first one which is what the run anywhere search provided solves. Instead of inner makeresults you would need to call the lookup file to get the condition to be applied in your query.
@niketnilay, I've corrected some mistakes that I did, and now it works correctly.
Note that the field extracted from the last "table" inside the subsearch MUST BE "search".
So now this is my working search:
| makeresults
| eval a=80
| eval b=60
| eval result=if(
[| inputlookup conf_lookup.csv
| where servizio_nome="MY SERVICE"
| eval search=condition_KO
| table search],1,0)
Is it possibile to make something like this?
| makeresults
| eval a=80
| eval b=60
| eval service="MY SERVICE"
| eval result=if(
[| inputlookup conf_lookup.csv
| where servizio_nome="$service$"
| eval search=condition_KO
| table search],1,0)
Thanks
@robertosegantin sorry I had missed your follow up question. Seems like this is a use case for map command. If your issue is resolved, do accept/up-vote the comments that helped!