Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i filter columns based on other column value

jvishwak
Path Finder
‎10-02-2016 10:38 PM

Hi,

I have a created a table with columns A and B, we are using KV store to get the threshold config data and KV
Store in response providing table column names as
...
KV Store is also having a column (component_id) value of which is same as column A in other table.

I want to filter the KV Store's column .. based on the value of column B and column A.

I tried using a macro with 2 parameters in first input passing the column A value and other parameter passing column B value.

Here is my macro query:
lookup KVStore_thresholds_config component_id | table component_id, Overtide..thesholdValue | transpose 1000 | addtotals | fields - row |
where column = $y$ | table column, Total

But its not working, macro is not searching the desired result, also it is overwriting previous table fields.

Can someone help on the possible ways to get the required result from the KV store.

0 Karma
Reply

jvishwak
Path Finder
‎10-03-2016 01:34 AM

updating he question as few text got removed while pasting...
KV Store in response providing table column names as
..

Macro Query which i tried:
lookup KVStore_thresholds_config component_id | table component_id, Override..thesholdValue | transpose 1000 | addtotals | fields - row| where column = $y$ | table column, Total

0 Karma
Reply

jvishwak
Path Finder
‎10-03-2016 01:36 AM

Somehow the text is getting removed :(, in simple format again

KV Store in response providing table column names as
someFixedtext.ValueAsWeHaveInColumnB.SomeFixedText

Macro Query which i tried:
lookup KVStore_thresholds_config component_id | table component_id, Override..thesholdValue | transpose 1000 | addtotals | fields - row| where column = $y$ | table column, Total

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎10-03-2016 01:01 AM

So heres a simpler example of filtering by lookup value which should hopefully get you started.

Using data ( put into index 456446 ) -

time,column_a,column_b
09-21-2016 01:00:00,11,10
09-22-2016 01:00:00,9,10
09-23-2016 01:00:00,7,10
09-24-2016 01:00:00,5,10
09-25-2016 01:00:00,3,10
09-26-2016 01:00:00,1,10
09-27-2016 01:00:00,0,10

With lookup ( put into 456446_lookup ) -

component_id, value
1,1
2,2
3,3
4,5
5,8
6,13
7,21
8,34
9,55
10,89

You can use this -

index="456446" 
| lookup 456446_lookup component_id as column_a outputnew value as comparison_field
| table column_a, column_b, comparison_field
| where column_b < comparison_field
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...