Solved: how to assign an eval statement to matches on a su...

virex · ‎05-07-2019

I have a main search and a lookup table
I want to assign field called isCorrect to values from the main search that matches the lookup table

it would look something like this

<main search>
| eval isCorrect = if(<found in lookup> , "true", "false")

however i am not sure how to form the logic for the boolean statement in the if statement

for now my boolean statement looks like
[|inputlookup lookup.csv| fields match]

richgalloway · ‎05-07-2019

A subsearch won't work there. You should consult the lookup table for each event and test for correctness. Something like this:

<main search>
| lookup lookup.csv <some field from the event> output <some field from the lookup>
| eval isCorrect = if(isnull(<some field from the lookup>, "false", "true")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-07-2019

A subsearch won't work there. You should consult the lookup table for each event and test for correctness. Something like this:

<main search>
| lookup lookup.csv <some field from the event> output <some field from the lookup>
| eval isCorrect = if(isnull(<some field from the lookup>, "false", "true")

---
If this reply helps you, Karma would be appreciated.

virex · ‎05-07-2019

Great it works for me!

how to assign an eval statement to matches on a subsearch?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...