Knowledge Management

How can i filter columns based on other column value

jvishwak
Path Finder

Hi,

I have a created a table with columns A and B, we are using KV store to get the threshold config data and KV
Store in response providing table column names as
...
KV Store is also having a column (component_id) value of which is same as column A in other table.

I want to filter the KV Store's column .. based on the value of column B and column A.

I tried using a macro with 2 parameters in first input passing the column A value and other parameter passing column B value.

Here is my macro query:
lookup KVStore_thresholds_config component_id | table component_id, Overtide..thesholdValue | transpose 1000 | addtotals | fields - row |
where column = $y$ | table column, Total

But its not working, macro is not searching the desired result, also it is overwriting previous table fields.

Can someone help on the possible ways to get the required result from the KV store.

0 Karma

jvishwak
Path Finder

updating he question as few text got removed while pasting...
KV Store in response providing table column names as
..

Macro Query which i tried:
lookup KVStore_thresholds_config component_id | table component_id, Override..thesholdValue | transpose 1000 | addtotals | fields - row| where column = $y$ | table column, Total

0 Karma

jvishwak
Path Finder

Somehow the text is getting removed :(, in simple format again

KV Store in response providing table column names as
someFixedtext.ValueAsWeHaveInColumnB.SomeFixedText

Macro Query which i tried:
lookup KVStore_thresholds_config component_id | table component_id, Override..thesholdValue | transpose 1000 | addtotals | fields - row| where column = $y$ | table column, Total

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

So heres a simpler example of filtering by lookup value which should hopefully get you started.

Using data ( put into index 456446 ) -

time,column_a,column_b
09-21-2016 01:00:00,11,10
09-22-2016 01:00:00,9,10
09-23-2016 01:00:00,7,10
09-24-2016 01:00:00,5,10
09-25-2016 01:00:00,3,10
09-26-2016 01:00:00,1,10
09-27-2016 01:00:00,0,10

With lookup ( put into 456446_lookup ) -

component_id, value
1,1
2,2
3,3
4,5
5,8
6,13
7,21
8,34
9,55
10,89

You can use this -

index="456446" 
| lookup 456446_lookup component_id as column_a outputnew value as comparison_field
| table column_a, column_b, comparison_field
| where column_b < comparison_field
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...