Solved: How to search on multiple lookups?

sfatnass · ‎06-18-2015

hi guys,

i want to know how to search on multiple lookup like using OR.

index=A

| lookup mylookup fieldin1 OUTPUT fieldout1

OR
| lookup mylookup2 fieldin2 OUTPUT fieldOUT2

NOT
| lookup mylookup3 fieldin3 OUTPUT fieldout3

thx

vganjare · ‎06-18-2015

There is no conditional lookups concept in splunk. You can use SPL to achieve the same:

index=A | lookup mylookup fieldin1 OUTPUT fieldout1 | lookup mylookup2 fieldin2 OUTPUT fieldOUT2 | lookup mylookup3 fieldin3 OUTPUT fieldout3 | eval MyField= coalesce(fieldout1, fieldOUT2) | fillnull value="NULL" fieldout3 | where fieldout3="NULL"

Thanks!!!

View solution in original post

vganjare · ‎06-18-2015

There is no conditional lookups concept in splunk. You can use SPL to achieve the same:

index=A | lookup mylookup fieldin1 OUTPUT fieldout1 | lookup mylookup2 fieldin2 OUTPUT fieldOUT2 | lookup mylookup3 fieldin3 OUTPUT fieldout3 | eval MyField= coalesce(fieldout1, fieldOUT2) | fillnull value="NULL" fieldout3 | where fieldout3="NULL"

Thanks!!!

sfatnass · ‎06-18-2015

thx i will try it

How to search on multiple lookups?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to search on multiple lookups?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases