Splunk Search

Determine numerical value belong to intervals which stored in static lookup

ejpulsar
Path Finder

Hi!
We've "broken" our heads on this.

Let we have events with field

NUM=100
NUM=150

And static lookup with interval looks like this (yes, we can change it format if needed):

NAME START END
 A     100 120
 B     121 180

We need to produce evens like

NUM=100 NAME=A
NUM=150 NAME=B
0 Karma
1 Solution

ejpulsar
Path Finder

Got it!

With expanding case argument by subsearch
Thanks to all for help!

* | eval NUM=150 | eval NAME=case([|inputlookup name_range.csv| eval argument="NUM>=".interval_begin." AND  NUM<=".interval_end.",\"".name."\"" | stats values(argument) as argument | eval argument=mvjoin(argument,",")|return $argument])

View solution in original post

0 Karma

ejpulsar
Path Finder

Got it!

With expanding case argument by subsearch
Thanks to all for help!

* | eval NUM=150 | eval NAME=case([|inputlookup name_range.csv| eval argument="NUM>=".interval_begin." AND  NUM<=".interval_end.",\"".name."\"" | stats values(argument) as argument | eval argument=mvjoin(argument,",")|return $argument])
0 Karma

MuS
SplunkTrust
SplunkTrust

nice - looks like I misunderstood your initial question, because doing this by using only a lookup command is not possible (I think) 😉

0 Karma

somesoni2
Revered Legend

If you can change the format of static lookup file, then you can change it to have just the fields NAME and NUM, where NUM will be all the integer values from START to END.

You can generate the new lookup file (with NAME and NUM) from existing lookup (NAME, START, END) using following splunk search

|inputlookup yourOldLookup | eval NUM=mvrange(START,END+1) | mvexpand NUM | table NAME, NUM | outputlookup youNewLookup

ejpulsar
Path Finder

We've tried this way. Unfortunately intervals is so big and resulting lookup over 10-20GB in size.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ejpulsar,

I think this is not possible -- (speaking Splunk Version < 6.2 - I don't know if this is now possible).

But if those start and end values are static, you could use the the EVAL- function in props.conf for this:

EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the value of the output 
  to <fieldname>. This creates a "calculated field." 

Something like this could do the trick for you:

EVAL-Name = case((NUM>"100" AND NUM<"120"), "A", (NUM>"121" AND NUM<"180"), "B", (NUM>"180"), "C")

You can use this run everywhere command to test it:

index=_internal | head 1 | eval NUM="182" | eval Name=case((NUM>"100" AND NUM<"120"), "A", (NUM>"121" AND NUM<"180"), "B", (NUM>"180"), "C") | table NUM Name

Hope this helps ...

cheers, MuS

0 Karma

ejpulsar
Path Finder

As you see below, its possible now 🙂

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...