Hi,
I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eva...
See more...
Hi,
I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eval fileName if condition is working fine, in the stats I could see the correct results(desired files I'm looking for).
But I'm wondering whether I could use the filename in makeresults and search for lookup file. Could someone please assist. Thanks in advance.
index=main sourcetype="dummySource" events
| stats by EventCode
| append [ | inputlookup states.csv | stats count as isAvailable ]
| stats sum(isAvailable) as available, values(EventCode) as EventCode
| eval fileName = if(available > 0, "1.csv", "2.csv")
| stats values(available) as available values(EventCode) as EventCode by fileName
| join type=left fileName
[| inputlookup [ | makeresults
| eval search=fileName
| table search ]]