Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is it possible to do a lookup based on IF statement?

guimilare
Communicator
‎01-24-2018 08:43 AM

Hello Splunkers,
here is my scenario:

I have a field actionType that can assume two values: "S" or "A".
Based on actionType value, I need to do a lookup in different lookup tables.

For example, if actionType is "S", I have to do a lookup with S_actions.csv table; if it is "A", I have to do a lookup with A_actions.csv table.

My first idea was using an if statement, but I was unable to do so.
Any Ideas?

Thank in advance!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-24-2018 09:43 AM

I'd do it like this:

your base search 
| eval s_action=if(actionType="S", Action, NULL), a_action=if(actionType="A", Action, NULL
| lookup S_actions.csv action AS s_action
| lookup A_actions.csv action AS a_action
| fields - s_action a_action

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-24-2018 09:43 AM

I'd do it like this:

your base search 
| eval s_action=if(actionType="S", Action, NULL), a_action=if(actionType="A", Action, NULL
| lookup S_actions.csv action AS s_action
| lookup A_actions.csv action AS a_action
| fields - s_action a_action
Reply
Solved! Jump to solution

guimilare
Communicator
‎01-24-2018 09:54 AM

Thanks! Exactly what I needed!

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎01-24-2018 10:05 AM

Glad to help. 🙂

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-24-2018 08:48 AM

on selection of action type as "S" or "A", what action needs to be performed on lookup?

0 Karma
Reply
Solved! Jump to solution

guimilare
Communicator
‎01-24-2018 08:52 AM

I'll use a second field called "Action" (that's a code, and can be multivalue) and get the action description using the lookup.
Both S and A actionTypes have similar codes (e.g: A1, A2, A3). That's why I need to separate the lookups.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...