- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: lookup table to show values that do not match
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi - I have a look-up table of errors codes and descriptions, and a log file with errors codes
lookup error_descriptions_table look_up_errors as errors OUTPUT description | top description
This works fine if all the error codes are in the look-up table but if a new error appears in the log it will not display it (or combine them into a null field) - so what i want it to do is display the error description if possible otherwise display the code - in the same column
so if the look-up table is
200, perfect
404, page not found
500, internal server error
etc
log file is
200
200
404
700
404
800
200
etc
At the moment I get
perfect 3
null 2
not found 2
what i want is
perfect 3
not found 2
700 1
800 1
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appending an eval after your search should do the job, something like;
| eval description=if(isnull(description),look_up_errors,description)
This basically says, set the field description equal to the look_up_errors value if the field is null (no value is returned from the lookup). Otherwise, if it isn't null then we can assume it has successfully looked up a description and instead keep using it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was a good answer Drainy. It worked for me too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appending an eval after your search should do the job, something like;
| eval description=if(isnull(description),look_up_errors,description)
This basically says, set the field description equal to the look_up_errors value if the field is null (no value is returned from the lookup). Otherwise, if it isn't null then we can assume it has successfully looked up a description and instead keep using it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - that solved the problem 🙂
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
