Re: How do you build a lookup table name during ru...

seomisp · ‎10-26-2018

I have a few lookup tables that I need to query against. For example:

LT_type1
LT_type2

Depending on my search, the type1 or type2 will be different. My initial thought was to build the name of the lookup table on the fly. The "_type1" part of the lookup table name will come from the field "type" of my search on index X. The Lookup table also as a field with the name as the same value as "type":

index=X | eval t="LT_".type | lookup t type

I get an error saying lookup t doesn't exist. Any ideas how to do this?

valiquet · ‎12-21-2018

niketn · ‎10-27-2018

@seomisp, if you have only two values for type i.e. type1 and type2, one of the options would be use multisearch command with each type in the filter for respective search.

PS: The multisearch command joins two searches with streaming command without sub-search limitations.

Following is a sample search based on your question:

index=X | eval t="LT_".type | lookup t type
    | multisearch 
        [ search index=X type="type1" 
        | lookup LY_type1 type] 
        [  search index=X type="type2" 
        | lookup LY_type2 type]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

seomisp · ‎10-29-2018

"type1" and "type2" was just an example. I have more than 2 types.

How do you build a lookup table name during runtime of the query?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?