Splunk Search
Highlighted

how to assign an eval statement to matches on a subsearch?

Engager

I have a main search and a lookup table
I want to assign field called isCorrect to values from the main search that matches the lookup table

it would look something like this

<main search>
| eval isCorrect = if(<found in lookup> , "true", "false")

however i am not sure how to form the logic for the boolean statement in the if statement

for now my boolean statement looks like
[|inputlookup lookup.csv| fields match]

Tags (3)
0 Karma
Highlighted

Re: how to assign an eval statement to matches on a subsearch?

SplunkTrust
SplunkTrust

A subsearch won't work there. You should consult the lookup table for each event and test for correctness. Something like this:

<main search>
| lookup lookup.csv <some field from the event> output <some field from the lookup>
| eval isCorrect = if(isnull(<some field from the lookup>, "false", "true")
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Re: how to assign an eval statement to matches on a subsearch?

Engager

Great it works for me!

0 Karma