I have multiple CSV lookup files and I want to use a variable to determine which lookup table to choose in my search.
for example:
field1 {lookupFile, lookupFile2, lookupfile3,.....}
field2 {choose2, choose3, choose1, .....}
index="sample_index" |mvexpand field2| eval file_name= field2 + ".csv" | lookup file_name Id Ouput value | table *
I am sure that I understand your question but I completely do NOT understand your details so I will be starting over. Let's say you have 3 CSVs and if fieldX
has value value1
you need to use lookupA
, but for value2
you need to use lookupB
and for value3
you need to use lookupC
. You can do it like this:
... | eval keyA=if(fieldX="value1"), fieldX, null()) | lookup lookupA keyA
| eval keyB=if(fieldX="value2"), fieldX, null()) | lookup lookupB keyB
| eval keyC=if(fieldX="value3"), fieldX, null()) | lookup lookupC keyC
So even though you are doing all 3 lookups for every field, only 1 of the keys will exist for any given event which means that 2 lookups will always be skipped because the input field value does not exist (is null()
).
I am sure that I understand your question but I completely do NOT understand your details so I will be starting over. Let's say you have 3 CSVs and if fieldX
has value value1
you need to use lookupA
, but for value2
you need to use lookupB
and for value3
you need to use lookupC
. You can do it like this:
... | eval keyA=if(fieldX="value1"), fieldX, null()) | lookup lookupA keyA
| eval keyB=if(fieldX="value2"), fieldX, null()) | lookup lookupB keyB
| eval keyC=if(fieldX="value3"), fieldX, null()) | lookup lookupC keyC
So even though you are doing all 3 lookups for every field, only 1 of the keys will exist for any given event which means that 2 lookups will always be skipped because the input field value does not exist (is null()
).
thank you very much!