Re: Is it possible to call lookup within case stat...

RSS_STT · ‎03-12-2024

I want to call lookup within case statement. if possible, please share sample query.

RSS_STT · ‎03-12-2024

I have fields aa, bb, cc, dd, hostname and sometime few filed value may be null in payload.

What i want to do.

if (aa, bb is not null) than lookup abc.csv name output name hostname ip

if (cc, dd is not null) than lookup abc.csv name output name hostname ip

if hostname=echo than lookup abc.csv name output name hostname ip

Here is the catch, if 1st if condition is executed it should ignore 2nd & 3rd.

if 2nd if statement executed than 3rd should ignored. Like wise i have to go upto 10 if condition.

ITWhisperer · ‎03-12-2024

Since all the lookups appear to be the same, why not do the lookup first, then evaluate (with your conditions) whether the results are worth keeping?

ITWhisperer · ‎03-12-2024

The simple answer is no - what is your usecase? what are you trying to achieve? There may be another way

bowesmana · ‎03-12-2024

Yes you can using the lookup eval command

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/ConditionalFunctions#look...

It has to come from a CSV, you cannot use KV store lookups

ITWhisperer · ‎03-12-2024

Good point - not easy to use in a case statement though

bowesmana · ‎03-12-2024

True enough - it's fiddly and requires post processing of the JSON output, but it's one of the rare conditional if/execute pieces of powerful logic in SPL

Is it possible to call lookup within case statement?

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation