Splunk lookup multiple fields field how to#
I simply cant figure out how to evaluate between a range in a lookup table to get my desired value. So I cant give you the exact data and scenario I need this for, but if we can solve the above I can work from there. Unfortunately I am using dummy data because of protections on the information. So I need a way to take X, evaluates that it falls between Y and Z (Y X) from the lookup table, and returns my desired field (A) from the lookup table. I identified this as MyNumber in the post but we'll say X here. I have a value that falls in one of the Y-Z ranges of the lookup table. In the example, one would be 1500-1599 for a range. The high and low together make a range Y-Z. I have a lookup table with a high value (Y) and low value (Z) and my desired value (A). 1520 (myNumber) is between 1500 (low) and 1599 (high) so it should return the desired value (220) i am searching field values, WASEventcode from the lookup in index. 1400 (myNumber) is between 1000 (low) and 1499 (High) so it should return the desired value (500). Split a MV field into different, multiple fields mato666666 Explorer. 1200 (myNumber) is between 1000 (low) and 1499 (High) so it should return the desired value (500). MyNumber isn't the range, its a number that will fall between the ranges basically: the lookup command but it doesn't have any evaluations built in that I can find seems to only work for exact matches. Join doesn't allow passing of vars and there isn't a shared field to join on, so no love there However, if I try mapping the same search to map search="| inputlookup search here | where low $myNumber$" it doesn't work, meaning I cant seem to find a way to link the two together. If I use inputlookup I can use the where command to filter out values just fine. I have no problem breaking apart the multivalue and rejoining it, I just can't figure out how to do a lookup that falls within a two fields. I can't seem to figure out how to go about this. So my final output should look like this when im done: Field1 The number does not match the Low or High, but will always fall between one of the ranges. I want to be able to add the Desired Value to my table based on if myNumber falls between the Low and High. Or if i break it apart with mvexpand, like this: Field1 So my input before I need the value may look like this: Field1 Im just noting this in case it provides any value for the answer. I've found I have more success breaking this up with mvexpand and rejoining it again later with stats. The typical input for "myNumber" is a multivalue, containing typically three or more. (low myNumber), to then pull the desired value. I work through my search input and come to a number value I want to test in the range of the low and high. For example (these are just dummy values as the actual CSV is much larger): Low I have a lookup table which contains a varying low value and a high value for many rows, along with the desired value I wish to grab.
0 kommentar(er)
