https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294022#M88758 <P>Did not work out for me. Trying to troubleshoot. </P> Tue, 28 Mar 2017 17:19:42 GMT manmeet99 2017-03-28T17:19:42Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294017#M88753 <P>Have been trying to crack this for a long time. Would highly appreciate any help. </P> <P>I have a lookup similar to this:</P> <P><STRONG>Merchant_ID Amount_threshold Count_threshold Description</STRONG><BR /> Merchant1 15 1 ABC<BR /> Merchant2 11 5 XYZ<BR /> Merchant3 25 5 LMN<BR /> * 13 1 all_other_merchants</P> <P>And my events are:</P> <P><STRONG>Merchant_ID Amount</STRONG><BR /> Merchant1 10<BR /> Merchant1 20<BR /> Merchant2 10<BR /> Merchant3 40<BR /> Merchant7 30<BR /> Merchant7 20</P> <P>I want my query to return something like this:</P> <P>If for each merchant:</P> <P>Total_amount&gt;amount_threshold AND count&gt;count_threshold</P> <P>Then show it in the table below</P> <P><STRONG>Merchant_ID Description Total_amount Total_count Amount_threshold Count_threshold</STRONG><BR /> Merchant1 ABC 30 2 15 1<BR /> Merchant7 all_other_merchants 50 2 13 1</P> <P>Update: Added a new case - a wild card merchant ID that captures all merchants not explicitly specified in the lookup and applies thresholds to that merchant. </P> Tue, 29 Sep 2020 13:23:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294017#M88753 manmeet99 2020-09-29T13:23:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294018#M88754 <P>Assuming the lookup file name is <STRONG>merchantlookup.csv</STRONG> </P> <PRE><CODE>&lt;YourBaseSearch&gt; | stats count as Total_count sum(Amount) as Total_amount by Merchant_ID | lookup merchantlookup MerchantID OUTPUT Amount_threshold Count_threshold Description | where Total_amount&gt;Amount_threshold AND Total_count &gt;Count_threshold | table MerchantID Description Total_amount Total_count Amount_threshold Count_threshold </CODE></PRE> Fri, 24 Mar 2017 20:29:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294018#M88754 niketn 2017-03-24T20:29:05Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294019#M88755 <P>Use a left join against the lookup table, like this...</P> <PRE><CODE>(your event search) | stats count as Total_count sum(Amount) as Total_amount by Merchant_ID | join type=left Merchant_ID [| inputlookup yourlookup.csv | table Merchant_ID Amount_threshold Count_threshold Description ] | where (Total_amount&gt;Amount_threshold AND Total_count&gt;Count_threshold) OR (isnull(Amount_threshold)) | fillnull value="((Not Found))" Description Amount_threshold Count_threshold | table Merchant_ID Description Total_amount Total_count Amount_threshold Count_threshold </CODE></PRE> <P>...and here's some run-anywhere code to show you that it works...</P> <PRE><CODE> | makeresults | eval mydata="Merchant1,10 Merchant1,20 Merchant2,10 Merchant3,40 Merchant4,40" | makemv mydata | mvexpand mydata | rex field=mydata "(?&lt;Merchant_ID&gt;[^,]+),(?&lt;Amount&gt;.*)" | stats count as Total_count sum(Amount) as Total_amount by Merchant_ID | join type=left Merchant_ID [| makeresults | eval mylookup="Merchant1,15,1,ABC Merchant2,11,5,XYZ Merchant3,25,5,LMN" | makemv mylookup | mvexpand mylookup | rex field=mylookup "(?&lt;Merchant_ID&gt;[^,]+),(?&lt;Amount_threshold&gt;[^,]+),(?&lt;Count_threshold&gt;[^,]+),(?&lt;Description&gt;.*)" | table Merchant_ID Amount_threshold Count_threshold Description ] | where (Total_amount&gt;Amount_threshold AND Total_count&gt;Count_threshold) OR (isnull(Amount_threshold)) | fillnull value="((Not Found))" Description Amount_threshold Count_threshold | table Merchant_ID Description Total_amount Total_count Amount_threshold Count_threshold </CODE></PRE> Fri, 24 Mar 2017 20:48:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294019#M88755 DalJeanis 2017-03-24T20:48:58Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294020#M88756 <P>Like this</P> <PRE><CODE>Your Base Search Here | appendpipe [|inputlookup YourLookupHere] | stats values(*) AS * sum(Amount) AS Total_amount count AS Total_count BY Merchant_ID | where Total_amount&gt;Amount_threshold AND Total_count&gt;Count_threshold | table Merchant_ID Description Total_amount Total_count Amount_threshold Count_threshold </CODE></PRE> Sun, 26 Mar 2017 22:51:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294020#M88756 woodcock 2017-03-26T22:51:22Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294021#M88757 <P>I tried this out. The threshold values display just one value for all rows instead of displaying threshold value applicable to the specific merchant. </P> Tue, 28 Mar 2017 17:13:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294021#M88757 manmeet99 2017-03-28T17:13:56Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294022#M88758 <P>Did not work out for me. Trying to troubleshoot. </P> Tue, 28 Mar 2017 17:19:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294022#M88758 manmeet99 2017-03-28T17:19:42Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294023#M88759 <P>I tested and it works. It may be that you have not described something in your dataset (probably a field name) accurately? Double-check all the fieldnames and make sure that they match.</P> Tue, 28 Mar 2017 19:17:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-evaluate-thresholds/m-p/294023#M88759 woodcock 2017-03-28T19:17:22Z