Does lookup command support OR Boolean operation?

vpao · ‎07-29-2016

Hello,
I have events in index 1 and I have lookup table 1 created from a CSV file. I want to lookup events from index 1 in lookup table 1 by following a hierarchical logic:

lookup where tail number OR flight ID OR operator matches
AND lookup where airport matches

My search currently looks like this and it works. Is there a way to simplify it so that one lookup checks tail number then flight id then operator?
index=index1
| lookup lookuptable1 id as tailNo airport as iataAirport OUTPUT start_date/time as start_date
| lookup lookuptable1 id as flightId airport as iataAirport OUTPUTNEW start_date/time as start_date
| lookup lookuptable1 id as operator airport as iataAirport OUTPUTNEW start_date/time as start_date

kbarker302 · ‎07-29-2016

lookup does not, but you may be able to achieve what you're looking for by using a KV Store instead.

See this link for configuring a KV Store from a CSV file:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/ConfigureKVstorelookups

And see this link for examples of using a where clause with the KV Store (in the "Filters and queries" section):

http://dev.splunk.com/view/SP-CAAAEZH

Does lookup command support OR Boolean operation?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!