Splunk Search

フィールドの値を使用して判定を行いたい

blaku
Explorer

フィールドvalueに値が、affectedにその条件が入っています。

No  value   affected
1   10      =
2   5        =<
3   1        !=

イベント毎にaffectedでvalueの値を判定し、Trueのみ表示したいです。
(例だと6で検索するとNo2,3の両方が取れるようにしたいです。)
何か良い方法無いでしょうか。

0 Karma

tuemura_splunk
Splunk Employee
Splunk Employee

Splunkで使える比較演算子は6つなので、力技ですがcase文に全ていれてしまってはどうでしょうか。

YOUR_SEARCH OR INPUTLOOKUP
| eval i = 6
| eval flag=case(affected="=",if(value=i,"true","false"),affected="!=",if(value!=i,"true","false"),(affected="=<" OR affected="<="),if(value<=i,"true","false"),(affected="=>" OR affected=">="),if(value>=i,"true","false"),affected="<",if(value<i,"true","false"),affected=">",if(value>i,"true","false"))
| where flag="true"
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...