I want to pick up values from different columns fr...

veerendra_modi · ‎03-13-2019

I want to pick up values from different lookup files according to the sourcetype.
| lookup error_rules.csv EventSubType Criticality OUTPUT wait_time threshold_count window_limit

Say i have two source type 1 and type2

For type1 i want to lookup EventSubType and Criticality_type1 in lookup error_rules.csv
For type2 i want to lookup EventSubType and Criticality_type2 in lookup error_rules.csv

Please suggest the solution for this scenario if case needs to be used let me know how it will be implemented.

woodcock · ‎03-15-2019

Like this:

... | eval Criticality = if(sourceype="type1", Criticality_type1, Criticality_type2)
| lookup error_rules.csv EventSubType Criticality OUTPUT wait_time threshold_count window_limit
| fields - Criticality

woodcock · ‎03-15-2019

Just add sourcetype to your lookup file.

adonio · ‎03-15-2019

not sure i fully understand, but how about something along those lines:

 ... your search ... (sourcetype=1 OR sourcetype=2) ... | lookup error_rules.csv EventSubType Criticality OUTPUT wait_time threshold_count window_limit
| eval Criticality_type1= if(sourcetype=="1",Criticality,null())
| eval Criticality_type2= if(sourcetype=="2",Criticality,null())
| .... more stuff if you want

I want to pick up values from different columns from lookup files according to the sourcetype.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!