Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract the largest value between two str...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kingwaras
Engager
12-04-2018
01:12 AM
Hi all,
is there a way to compare two strings in a search query?
I would extract only the value greater than of Level2 value in the hierarchy_lookup file and that it starts with my same letter.
In the file hierarchy_lookup.csv, the values are:
[Name] [Level2]
Elizabeth A1
William A2
Madison A3
Victoria B1
James B2
Daniel B3
Matthew B3
I will try to explain my issue better.
My level is A2. In my case, I would extract all names that have a level lower than mine, and that start with my same letter (A in my case)
You can see my first step of the query below.
| inputlookup hierarchy_lookup.csv
| where Level2 > [| inputlookup hierarchy_lookup.csv |
where [| rest /services/authentication/current-context | table username | rename username as Name]
| table Level2 | rename Level2 as search]
Thanks in advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
12-04-2018
02:15 AM
Try the following. It takes the full lookup. It than adds an extra line containing your name and level, with the level value copied to the myLevel field. It then copies that myLevel field to all other lines. It then splits up the myLevel and Level2 field in each line into the letter and the digit. And finally filters for same letter, higher digit.
| inputlookup hierarchy_lookup.csv
| append [
| rest /services/authentication/current-context
| table username
| rename username as Name
| lookup hierarchy_lookup.csv Name
| eval myLevel = Level2
]
| eventstats values(myLevel) as myLevel
| eval myLevelLetter = substr(myLevel,0,1)
| eval myLevelDigit = substr(myLevel,1,1)
| eval LevelLetter = substr(Level2,0,1)
| eval LevelDigit = substr(Level2,1,1)
| where myLevelLetter = LevelLetter AND LevelDigit > myLevelDigit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-04-2018
02:23 AM
@kingwaras ,
In the above example , the lowest level for A should be A3 instead of A2 . Isn't it ?
With the mentioned data, try the below and see if it works for you
| inputlookup hierarchy_lookup.csv|rex field="Level2" "(?<Alphabet>[A-Z])(?<Number>\d)"|eventstats max(Number) as max by Alphabet|where Number<max
Based on the actual Level2 data , you need to adjust the rex
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kingwaras
Engager
12-04-2018
03:09 AM
Hi @renjith.nair. Yes, correct. The lowest levels are A3 and A2, but your script extract also values B2 and C2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-04-2018
05:43 AM
OK if you are looking for only "A" , just filter with |where Number<max AND Alphabet="A"
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
12-04-2018
05:46 AM
The thing is that he wants this dynamic based on the currently logged in user, as far as I understand.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
12-04-2018
02:15 AM
Try the following. It takes the full lookup. It than adds an extra line containing your name and level, with the level value copied to the myLevel field. It then copies that myLevel field to all other lines. It then splits up the myLevel and Level2 field in each line into the letter and the digit. And finally filters for same letter, higher digit.
| inputlookup hierarchy_lookup.csv
| append [
| rest /services/authentication/current-context
| table username
| rename username as Name
| lookup hierarchy_lookup.csv Name
| eval myLevel = Level2
]
| eventstats values(myLevel) as myLevel
| eval myLevelLetter = substr(myLevel,0,1)
| eval myLevelDigit = substr(myLevel,1,1)
| eval LevelLetter = substr(Level2,0,1)
| eval LevelDigit = substr(Level2,1,1)
| where myLevelLetter = LevelLetter AND LevelDigit > myLevelDigit
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
