Hi,
I'm having problem with evaluating expression using lookup field. I create a lookup fileld by executing this search:
some search| stats avg(count) as Average | outputlookup Average.csv
Next i would like to use this value in other searches to evaluate some field with saved lookup value. I tried using lookup command but i can not append single field to all results, i can append field to separate entry but then i cant do: eval field1 > field2.
Any suggestions?
thx
What about using a fake lookup-field? Something like:
some search | stats avg(count) as Average | eval keyfield=12345 | outputlookup Average.csv
which will save two columns in the csv file: "keyfield" and "Average". Then, when you run the actual search you could do:
query search | eval keyfield=12345 | lookup Average.csv keyfield OUTPUT Average | where somefield > Average
in order to retrieve the stored value and filter results based on the stored Average.
What about using a fake lookup-field? Something like:
some search | stats avg(count) as Average | eval keyfield=12345 | outputlookup Average.csv
which will save two columns in the csv file: "keyfield" and "Average". Then, when you run the actual search you could do:
query search | eval keyfield=12345 | lookup Average.csv keyfield OUTPUT Average | where somefield > Average
in order to retrieve the stored value and filter results based on the stored Average.
Thanks, this works!