Splunk Search

lookup table to show values that do not match

stephen123
Path Finder

hi - I have a look-up table of errors codes and descriptions, and a log file with errors codes

lookup error_descriptions_table look_up_errors as errors OUTPUT description | top description

This works fine if all the error codes are in the look-up table but if a new error appears in the log it will not display it (or combine them into a null field) - so what i want it to do is display the error description if possible otherwise display the code - in the same column

so if the look-up table is

200, perfect

404, page not found

500, internal server error

etc

log file is

200

200

404

700

404

800

200

etc

At the moment I get

perfect 3

null 2

not found 2

what i want is

perfect 3

not found 2

700 1

800 1

Thanks

Tags (1)
0 Karma
1 Solution

Drainy
Champion

Appending an eval after your search should do the job, something like;

| eval description=if(isnull(description),look_up_errors,description)

This basically says, set the field description equal to the look_up_errors value if the field is null (no value is returned from the lookup). Otherwise, if it isn't null then we can assume it has successfully looked up a description and instead keep using it.

View solution in original post

anwarmian
Communicator

That was a good answer Drainy. It worked for me too.

0 Karma

Drainy
Champion

Appending an eval after your search should do the job, something like;

| eval description=if(isnull(description),look_up_errors,description)

This basically says, set the field description equal to the look_up_errors value if the field is null (no value is returned from the lookup). Otherwise, if it isn't null then we can assume it has successfully looked up a description and instead keep using it.

View solution in original post

stephen123
Path Finder

Thanks - that solved the problem 🙂

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.