Hi
I have a search that will display result that will fall under device1 and device2.
If device1 i need to check lookup1 (and if device2 then lookup2) for a match deviceName=device , outputting Code and doing a regex on Code to extract some values. The regex will be different for lookup1 and lookup2.
Here is my code that isnt working (no results displayed):
<base-search replaced some details with '...' for security>
<if device1>
| lookup lookup1 device as device output CODE
| mvexpand ...
| mvexpand ...
| where ...!= device and like(..., "...%")
| rename ... as ...
| eval LRD1=substr(..., 1, 4), LRD2=substr(...,1,4)
<if device2>
| lookup lookup2 device as device output CODE
| search Node=o*
| rex field=Description "(?<bearer>...)"
| table *
After each lookup there are a few operations to perform dependant on which lookup table is searched. Both searches are working ok on their own just not combined.
Thanks
Hi @glennthechamp,
SPL is a search language not a procedural language, so it isn't possible to create a code like the one you described.
You should change your approach and try something like this (it's a porkaround!)
<base-search replaced some details with '...' for security>
| lookup lookup1 device as device output CODE
| mvexpand ...
| mvexpand ...
| where ...!= device and like(..., "...%")
| rename field1 AS field1_device1 field2 AS field2_device2 field3 AS field3_device3
| eval LRD1=substr(..., 1, 4), LRD2=substr(...,1,4)
| append [ search <base-search replaced some details with '...' for security>
| lookup lookup2 device as device output CODE
| search Node=o*
| rex field=Description "(?<bearer>...)"
| rename field1 AS field1_device2 field2 AS field2_device2 field3 AS field3_device2
| table * ]
| eval field1=if(device=device1,field1_device1,field1_device2), field2=if(device=device1,field2_device1,field2_device2), field3=if(device=device1,field3_device1,field3_device2)
| table field1 field2 field3
Otherwise, you have to use a JavaScript, but I cannot help you for this.
Ciao.
Giuseppe