Hi Base,
when I do an eval on an existing field which is also used for a lookup than the lookup ignores the eval result and use the origin instead.
f.e. I have IP addresses from 2 fields fieldIpA and fieldIpB and I combine them
| eval fieldIpA=coalesce(fieldIpA,fieldIpB)
If I do a “stats list(fieldIpA)” I will get a list with the results from both. If I do a lookup to resolve the IP to something else:
| lookup IPDes Description as rIPs
Then the lookup only return the results from fieldIpA.
If I add to the probs.conf declaration:
LOOKUP-< rIP> = fieldIpA AS tIP OUTPUT Description as rIPs
and do the eval with the tIP field than I get empty results and no lookup.
How it is possible to get the lookup to work?
Thanks!
2 lookups doing the job. Declare a lookup for both fields in prop.conf:
LOOKUP-< rIPA> = aLOIP
LOOKUP-< rIPB> = bLOIP
Point the lookups to the same file in transforms.conf:
[aLOIP]
filename = ip_Des.csv
[bLOIP]
filename = ip_Des.csv
Now the Search look like this:
... | lookup aLOIP Description as ArIPs | lookup bLOIP Description as BrIPs | eval NewrIPs=coalesce(ArIPs,BrIPs) | stats list(NewrIPs)
If you want you can skip the Description part in the lookup.
2 lookups doing the job. Declare a lookup for both fields in prop.conf:
LOOKUP-< rIPA> = aLOIP
LOOKUP-< rIPB> = bLOIP
Point the lookups to the same file in transforms.conf:
[aLOIP]
filename = ip_Des.csv
[bLOIP]
filename = ip_Des.csv
Now the Search look like this:
... | lookup aLOIP Description as ArIPs | lookup bLOIP Description as BrIPs | eval NewrIPs=coalesce(ArIPs,BrIPs) | stats list(NewrIPs)
If you want you can skip the Description part in the lookup.
the problem ask here was the lookup, not the coalesce and in my case it match exact to the definition.
Thanks
Are you sure its right? It may work for now, but you will not get "BrIPs" ever if the "ArIPs" value is not NULL. Please follow the definition of coalesce carefully. Thanks.
It seems that I was not exact enough. Of cause I get the values of fieldIpA that´s my intension, but if I use it in that way as you suggested:
“| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)”
than I´m back at the starting point of the problem. The values of fieldIpA are from before the processing via eval and the lookup comes after the eval. I think that the lookup will be built before search time and the eval will cast the field to a new variable that lookup do not “see”. I should better create 2 lookups and combine the result fields
Thanks
Yes it will always return the value of fieldIpA if its not Null at any place. That's the job of coalesce function. if you want both of them then you have to do the below query.
table fieldIpA,fieldIpB| lookup LtDes fieldIpA |lookup LtDes fieldIpB as fieldIpA|stats list(fieldIpA,fieldIpB).
Lets hope it gives you the result.
Ok my fault: I miised the IPDes but it was there so:
LOOKUP-< rIP> = IPDes fieldIpA OUTPUT Description as rIPs
ist the correct line. The search:
| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)
worked but with the same result than before: Only values from fieldIpA
it should be
prop.conf I declare IPDes:
LOOKUP-< rIP> = LtDes fieldIpA OUTPUTNEW rIPs
| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup LtDes fieldIpA | stats list(fieldIpA)
please give correct column name in lookup table.
Have fieldIpA,rIPs as lookup fields, that should do the job for you.
the origin search looks similar to this:
...| eval fieldIpA=coalesce(fieldIpA,fieldIpB)| lookup IPDes Description as rIPs | stats list(fieldIpA)
In prop.conf I declare IPDes:
LOOKUP-< rIP> = fieldIpA OUTPUT Description as rIPs
the lookup filed have the same name than the field.
and transforms.conf:
[LtDes]
filename = ip_Des.csv
If I use this syntax: "lookup fieldIpA as fieldIpA" throws an error: not such a lookup. right after the lookup the lookup name is needed.
Could you share the search query? after the eval fieldIpA=coalesce(fieldIpA,fieldIpB)|lookup fieldIpA as Lookuptable_field should give you the result.
Are you doing the eval to same field and assigning to itself? Assign it to some other variable if you are using for other purposes. Try doing the lookup after the eval is done and you have the final result for the field. And while calling lookup try to specify the field names
e.g. |lookup search_field as lookup_field