Solved: eval an existing field which is used for a lookup.... - Page 2

ndcl · ‎07-03-2013

Hi Base,
when I do an eval on an existing field which is also used for a lookup than the lookup ignores the eval result and use the origin instead.
f.e. I have IP addresses from 2 fields fieldIpA and fieldIpB and I combine them

| eval fieldIpA=coalesce(fieldIpA,fieldIpB)

If I do a “stats list(fieldIpA)” I will get a list with the results from both. If I do a lookup to resolve the IP to something else:

| lookup IPDes Description as rIPs

Then the lookup only return the results from fieldIpA.
If I add to the probs.conf declaration:

LOOKUP-< rIP> = fieldIpA AS tIP OUTPUT Description as rIPs

and do the eval with the tIP field than I get empty results and no lookup.
How it is possible to get the lookup to work?

Thanks!

ndcl · ‎07-04-2013

2 lookups doing the job. Declare a lookup for both fields in prop.conf:

LOOKUP-< rIPA> = aLOIP AS fieldIpA OUTPUT Description as ArIPs
LOOKUP-< rIPB> = bLOIP AS fieldIpB OUTPUT Description as BrIPs

Point the lookups to the same file in transforms.conf:

[aLOIP]
filename = ip_Des.csv
[bLOIP]
filename = ip_Des.csv

Now the Search look like this:

... | lookup aLOIP Description as ArIPs | lookup bLOIP Description as BrIPs | eval NewrIPs=coalesce(ArIPs,BrIPs) | stats list(NewrIPs)

If you want you can skip the Description part in the lookup.

View solution in original post

eval an existing field which is used for a lookup...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor