Hi Team,
I would like to call different lookup table based on the cloudname in my search query.
For ex:
if cloudname=test1, then call the below search query
|inputlookup lookup_test1 | join type=inner [ | inputlookup info_lookup where cloudname=test1 | dedup cloudname hostname | rename hostname as host_name | table cloudname host_name ] | sort metrics_id | table metrics_id host_name
else,
if cloudname=test2, then call the below search query
|inputlookup lookup_test2 | join type=inner [ | inputlookup info_lookup where cloudname=test2 | dedup cloudname | table cloudname ] | sort metrics_id | table metrics_id host_name
So, my query is, how can I combine both these queries such that if cloudname=test1 then, the first lookup (lookup_test1) is called else, if cloudname=test2 then the second lookup (lookup_test2) is called
regards,
Santosh
Since the searches are all inputlookups
, we don't have to worry about the expense of the search.
Therefore, we can just add a filter before each of the joins that will kill the records from the other cloud, and then append the two searches together. This assumes the search will be in a panel and there is a token named mycloudtoken
that contains either "test1" or "test2"
| inputlookup lookup_test1
| join type=inner
[ | inputlookup info_lookup where cloudname="test1"
| where cloudname="$mycloudtoken$"
| dedup cloudname hostname
| rename hostname as host_name
| table cloudname host_name
]
| append
[ | inputlookup lookup_test2
| join type=inner
[ | inputlookup info_lookup where cloudname="test2"
| where cloudname="$mycloudtoken$"
| dedup cloudname
| table cloudname ]
]
| sort metrics_id
| table metrics_id host_name
Is this going to be in a panel with tokens?
yes it will be in the same panel that uses the tokens.