https://community.splunk.com/t5/Splunk-Search/Expression-for-custom-lookup-table-values/m-p/672804#M230421 <P>I think doing something like this would work.<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;base_search&gt; | lookup &lt;lookup_name&gt; UserID OUTPUT Attribute | eval attribute_regex=".*\-(\d+)\-.*", max_attribute=case( isnull(Attribute), null(), mvcount(Attribute)==1, max(tonumber(replace(Attribute, attribute_regex, "\1"))), mvcount(Attribute)&gt;1, max(mvmap(Attribute, tonumber(replace(Attribute, attribute_regex, "\1")))) ), max_attribute_full=mvdedup( case( isnull(Attribute), null(), mvcount(Attribute)==1, if(tonumber(replace(Attribute, attribute_regex, "\1"))=='max_attribute', 'Attribute', null()), mvcount(Attribute)&gt;1, mvmap(Attribute, if(tonumber(replace(Attribute, attribute_regex, "\1"))=='max_attribute', 'Attribute', null())) ) )</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><BR />You can see in the screenshot below I used simulated data to do what I think you are asking for.<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1703717237716.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28675i6AF4202C8626CDA4/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1703717237716.png" alt="dtburrows3_0-1703717237716.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>The regex used in the replace command can be adjusted to fit the pattern that is stored in the Attribute field value to just grab the number.</P> Wed, 27 Dec 2023 22:47:31 GMT dtburrows3 2023-12-27T22:47:31Z https://community.splunk.com/t5/Splunk-Search/Expression-for-custom-lookup-table-values/m-p/672801#M230419 <P>Hi All,</P><P>This may be a bit of a peculiar question, but I'm trying to figure out if there's a way to use a certain expression in a search query to pull a "maximum" value based upon a custom table (.csv import) that is pulled into the query via the "lookup" command.</P><P>The table has 4 possible "Attribute" values which range from "level-1-access" to "level-4-access". In the stats table, a given UserID may have activity that reflect 1 or more of these (thus, a maximum of 4 per UserID).</P><P>Below is a sample dataset. What I'm attempting to do is filter this data so that it's only showing the "maximum" (or, "highest") value for each UserID. The rows <FONT color="#339966"><STRONG>bolded in green</STRONG></FONT> is what I'd want to see, with everything else excluded; thus, there should only be 1 row per distinct UserID.</P><P>One possible thought that comes to mind is adding an numeric field to the .csv lookup, though still not 100% certain how to go about rendering the stats table to only include the highest value per UserID.&nbsp;</P><P>Any help would be appreciated. Thanks!&nbsp;</P><TABLE width="243"><TBODY><TR><TD width="101.625px" height="25px"><STRONG>UserID</STRONG></TD><TD width="140.375px" height="25px"><STRONG>Attribute</STRONG></TD></TR><TR><TD width="101.625px" height="25px">jdoe</TD><TD width="140.375px" height="25px">level-1-access</TD></TR><TR><TD width="101.625px" height="25px">jdoe</TD><TD width="140.375px" height="25px">level-3-access</TD></TR><TR><TD width="101.625px" height="25px"><STRONG><FONT color="#339966">jdoe</FONT></STRONG></TD><TD width="140.375px" height="25px"><STRONG><FONT color="#339966">level-4-access</FONT></STRONG></TD></TR><TR><TD width="101.625px" height="25px">asmith</TD><TD width="140.375px" height="25px">level-1-access</TD></TR><TR><TD width="101.625px" height="25px"><FONT color="#339966"><STRONG>asmith</STRONG></FONT></TD><TD width="140.375px" height="25px"><FONT color="#339966"><STRONG>level-2-access</STRONG></FONT></TD></TR><TR><TD width="101.625px" height="25px">ejones</TD><TD width="140.375px" height="25px">level-3-access</TD></TR><TR><TD width="101.625px" height="25px"><FONT color="#339966"><STRONG>ejones</STRONG></FONT></TD><TD width="140.375px" height="25px"><FONT color="#339966"><STRONG>level-4-access</STRONG></FONT></TD></TR><TR><TD width="101.625px" height="25px">pthomas</TD><TD width="140.375px" height="25px">level-1-access</TD></TR><TR><TD width="101.625px" height="25px">pthomas</TD><TD width="140.375px" height="25px">level-2-access</TD></TR><TR><TD width="101.625px" height="25px">pthomas</TD><TD width="140.375px" height="25px">level-3-access</TD></TR><TR><TD width="101.625px" height="25px"><STRONG><FONT color="#339966">pthomas</FONT></STRONG></TD><TD width="140.375px" height="25px"><STRONG><FONT color="#339966">level-4-access</FONT></STRONG></TD></TR></TBODY></TABLE> Wed, 27 Dec 2023 21:43:47 GMT https://community.splunk.com/t5/Splunk-Search/Expression-for-custom-lookup-table-values/m-p/672801#M230419 bcanfield83 2023-12-27T21:43:47Z https://community.splunk.com/t5/Splunk-Search/Expression-for-custom-lookup-table-values/m-p/672804#M230421 <P>I think doing something like this would work.<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;base_search&gt; | lookup &lt;lookup_name&gt; UserID OUTPUT Attribute | eval attribute_regex=".*\-(\d+)\-.*", max_attribute=case( isnull(Attribute), null(), mvcount(Attribute)==1, max(tonumber(replace(Attribute, attribute_regex, "\1"))), mvcount(Attribute)&gt;1, max(mvmap(Attribute, tonumber(replace(Attribute, attribute_regex, "\1")))) ), max_attribute_full=mvdedup( case( isnull(Attribute), null(), mvcount(Attribute)==1, if(tonumber(replace(Attribute, attribute_regex, "\1"))=='max_attribute', 'Attribute', null()), mvcount(Attribute)&gt;1, mvmap(Attribute, if(tonumber(replace(Attribute, attribute_regex, "\1"))=='max_attribute', 'Attribute', null())) ) )</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><BR />You can see in the screenshot below I used simulated data to do what I think you are asking for.<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1703717237716.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28675i6AF4202C8626CDA4/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1703717237716.png" alt="dtburrows3_0-1703717237716.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>The regex used in the replace command can be adjusted to fit the pattern that is stored in the Attribute field value to just grab the number.</P> Wed, 27 Dec 2023 22:47:31 GMT https://community.splunk.com/t5/Splunk-Search/Expression-for-custom-lookup-table-values/m-p/672804#M230421 dtburrows3 2023-12-27T22:47:31Z https://community.splunk.com/t5/Splunk-Search/Expression-for-custom-lookup-table-values/m-p/672889#M230444 <P>Thank you very much!!!&nbsp;</P> Fri, 29 Dec 2023 19:03:58 GMT https://community.splunk.com/t5/Splunk-Search/Expression-for-custom-lookup-table-values/m-p/672889#M230444 bcanfield83 2023-12-29T19:03:58Z