Solved: Re: Is it possible to do a lookup based on IF stat...

guimilare · ‎01-24-2018

Hello Splunkers,
here is my scenario:

I have a field actionType that can assume two values: "S" or "A".
Based on actionType value, I need to do a lookup in different lookup tables.

For example, if actionType is "S", I have to do a lookup with S_actions.csv table; if it is "A", I have to do a lookup with A_actions.csv table.

My first idea was using an if statement, but I was unable to do so.
Any Ideas?

Thank in advance!

elliotproebstel · ‎01-24-2018

I'd do it like this:

your base search 
| eval s_action=if(actionType="S", Action, NULL), a_action=if(actionType="A", Action, NULL
| lookup S_actions.csv action AS s_action
| lookup A_actions.csv action AS a_action
| fields - s_action a_action

View solution in original post

elliotproebstel · ‎01-24-2018

I'd do it like this:

your base search 
| eval s_action=if(actionType="S", Action, NULL), a_action=if(actionType="A", Action, NULL
| lookup S_actions.csv action AS s_action
| lookup A_actions.csv action AS a_action
| fields - s_action a_action

guimilare · ‎01-24-2018

Thanks! Exactly what I needed!

elliotproebstel · ‎01-24-2018

Glad to help. 🙂

493669 · ‎01-24-2018

on selection of action type as "S" or "A", what action needs to be performed on lookup?

guimilare · ‎01-24-2018

I'll use a second field called "Action" (that's a code, and can be multivalue) and get the action description using the lookup.
Both S and A actionTypes have similar codes (e.g: A1, A2, A3). That's why I need to separate the lookups.

Is it possible to do a lookup based on IF statement?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?