https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188126#M187079 <P>Hi ejpulsar,</P> <P>I think this is not possible -- (speaking Splunk Version &lt; 6.2 - I don't know if this is now possible).</P> <P>But if those start and end values are static, you could use the the <CODE>EVAL-</CODE> function in <CODE>props.conf</CODE> for this:</P> <PRE><CODE>EVAL-&lt;fieldname&gt; = &lt;eval statement&gt; * Use this to automatically run the &lt;eval statement&gt; and assign the value of the output to &lt;fieldname&gt;. This creates a "calculated field." </CODE></PRE> <P>Something like this could do the trick for you:</P> <PRE><CODE>EVAL-Name = case((NUM&gt;"100" AND NUM&lt;"120"), "A", (NUM&gt;"121" AND NUM&lt;"180"), "B", (NUM&gt;"180"), "C") </CODE></PRE> <P>You can use this run everywhere command to test it:</P> <PRE><CODE>index=_internal | head 1 | eval NUM="182" | eval Name=case((NUM&gt;"100" AND NUM&lt;"120"), "A", (NUM&gt;"121" AND NUM&lt;"180"), "B", (NUM&gt;"180"), "C") | table NUM Name </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 29 Oct 2014 12:40:10 GMT MuS 2014-10-29T12:40:10Z https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188125#M187078 <P>Hi!<BR /> We've "broken" our heads on this.</P> <P>Let we have events with field</P> <PRE><CODE>NUM=100 NUM=150 </CODE></PRE> <P>And static lookup with interval looks like this (yes, we can change it format if needed):</P> <PRE><CODE>NAME START END A 100 120 B 121 180 </CODE></PRE> <P>We need to produce evens like</P> <PRE><CODE>NUM=100 NAME=A NUM=150 NAME=B </CODE></PRE> Wed, 29 Oct 2014 08:32:28 GMT https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188125#M187078 ejpulsar 2014-10-29T08:32:28Z https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188126#M187079 <P>Hi ejpulsar,</P> <P>I think this is not possible -- (speaking Splunk Version &lt; 6.2 - I don't know if this is now possible).</P> <P>But if those start and end values are static, you could use the the <CODE>EVAL-</CODE> function in <CODE>props.conf</CODE> for this:</P> <PRE><CODE>EVAL-&lt;fieldname&gt; = &lt;eval statement&gt; * Use this to automatically run the &lt;eval statement&gt; and assign the value of the output to &lt;fieldname&gt;. This creates a "calculated field." </CODE></PRE> <P>Something like this could do the trick for you:</P> <PRE><CODE>EVAL-Name = case((NUM&gt;"100" AND NUM&lt;"120"), "A", (NUM&gt;"121" AND NUM&lt;"180"), "B", (NUM&gt;"180"), "C") </CODE></PRE> <P>You can use this run everywhere command to test it:</P> <PRE><CODE>index=_internal | head 1 | eval NUM="182" | eval Name=case((NUM&gt;"100" AND NUM&lt;"120"), "A", (NUM&gt;"121" AND NUM&lt;"180"), "B", (NUM&gt;"180"), "C") | table NUM Name </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 29 Oct 2014 12:40:10 GMT https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188126#M187079 MuS 2014-10-29T12:40:10Z https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188127#M187080 <P>If you can change the format of static lookup file, then you can change it to have just the fields NAME and NUM, where NUM will be all the integer values from START to END.</P> <P>You can generate the new lookup file (with NAME and NUM) from existing lookup (NAME, START, END) using following splunk search</P> <PRE><CODE>|inputlookup yourOldLookup | eval NUM=mvrange(START,END+1) | mvexpand NUM | table NAME, NUM | outputlookup youNewLookup </CODE></PRE> Wed, 29 Oct 2014 14:45:03 GMT https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188127#M187080 somesoni2 2014-10-29T14:45:03Z https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188128#M187081 <P>We've tried this way. Unfortunately intervals is so big and resulting lookup over 10-20GB in size.</P> Thu, 30 Oct 2014 06:55:30 GMT https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188128#M187081 ejpulsar 2014-10-30T06:55:30Z https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188129#M187082 <P>Got it!</P> <P>With expanding case argument by subsearch<BR /> Thanks to all for help!</P> <PRE><CODE>* | eval NUM=150 | eval NAME=case([|inputlookup name_range.csv| eval argument="NUM&gt;=".interval_begin." AND NUM&lt;=".interval_end.",\"".name."\"" | stats values(argument) as argument | eval argument=mvjoin(argument,",")|return $argument]) </CODE></PRE> Thu, 30 Oct 2014 07:40:52 GMT https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188129#M187082 ejpulsar 2014-10-30T07:40:52Z https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188130#M187083 <P>As you see below, its possible now <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 30 Oct 2014 07:46:26 GMT https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188130#M187083 ejpulsar 2014-10-30T07:46:26Z https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188131#M187084 <P>nice - looks like I misunderstood your initial question, because doing this by using only a <CODE>lookup</CODE> command is not possible (I think) <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 30 Oct 2014 08:20:41 GMT https://community.splunk.com/t5/Splunk-Search/Determine-numerical-value-belong-to-intervals-which-stored-in/m-p/188131#M187084 MuS 2014-10-30T08:20:41Z