Hello,
I am fairly new to Splunk and was wondering if the eval case function could be used in conjunction with lookup tables. Here is my current problem (if there are other solutions I am open to suggestions)
I have 2 message types (100 and 200) each having a separate set of debug codes associated with them. So I am using lookup tables to expand the fields based on the message type and its corresponding field definitions. As far as I can tell, I cannot do this:
| lookup msg100_debug_codes.csv Code100 as DebugCode
| lookup msg200_debug_codes.csv Code200 as DebugCode
The second lookup table overrides what is in the first table. Also, the list of debug codes for each message type have overlapping numbers, which is why I cannot use one master lookup table since there could be 2 of the same (key, value) pairs. This is what lead me to the case statement. Can I use Case to direct which lookup table to use? I am not sure if this is possible. Thank you in advance and if I can clarify any details please let me know.
... View more