Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I extract the largest value between two strings?

kingwaras
Engager
‎12-04-2018 01:12 AM

Hi all,

is there a way to compare two strings in a search query?

I would extract only the value greater than of Level2 value in the hierarchy_lookup file and that it starts with my same letter.
In the file hierarchy_lookup.csv, the values are:

[Name] [Level2]
Elizabeth A1
William A2
Madison A3
Victoria B1
James B2
Daniel B3
Matthew B3

I will try to explain my issue better.

My level is A2. In my case, I would extract all names that have a level lower than mine, and that start with my same letter (A in my case)

You can see my first step of the query below.

| inputlookup hierarchy_lookup.csv 
 | where Level2 > [| inputlookup hierarchy_lookup.csv  | 
          where [| rest /services/authentication/current-context | table username | rename username as Name] 
            | table Level2 | rename Level2 as search]

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎12-04-2018 02:15 AM

Try the following. It takes the full lookup. It than adds an extra line containing your name and level, with the level value copied to the myLevel field. It then copies that myLevel field to all other lines. It then splits up the myLevel and Level2 field in each line into the letter and the digit. And finally filters for same letter, higher digit.

| inputlookup hierarchy_lookup.csv 
| append [ 
   | rest /services/authentication/current-context
   | table username
   | rename username as Name
   | lookup hierarchy_lookup.csv Name
   | eval myLevel = Level2
]
| eventstats values(myLevel) as myLevel
| eval myLevelLetter = substr(myLevel,0,1)
| eval myLevelDigit = substr(myLevel,1,1)
| eval LevelLetter = substr(Level2,0,1)
| eval LevelDigit = substr(Level2,1,1)
| where myLevelLetter = LevelLetter AND LevelDigit > myLevelDigit

View solution in original post

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-04-2018 02:23 AM

@kingwaras ,
In the above example , the lowest level for A should be A3 instead of A2 . Isn't it ?
With the mentioned data, try the below and see if it works for you 

| inputlookup hierarchy_lookup.csv|rex field="Level2" "(?<Alphabet>[A-Z])(?<Number>\d)"|eventstats max(Number) as max by Alphabet|where Number<max

Based on the actual Level2 data , you need to adjust the rex

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

kingwaras
Engager
‎12-04-2018 03:09 AM

Hi @renjith.nair. Yes, correct. The lowest levels are A3 and A2, but your script extract also values B2 and C2.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-04-2018 05:43 AM

OK if you are looking for only "A" , just filter with |where Number<max AND Alphabet="A"

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎12-04-2018 05:46 AM

The thing is that he wants this dynamic based on the currently logged in user, as far as I understand.

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎12-04-2018 02:15 AM

Try the following. It takes the full lookup. It than adds an extra line containing your name and level, with the level value copied to the myLevel field. It then copies that myLevel field to all other lines. It then splits up the myLevel and Level2 field in each line into the letter and the digit. And finally filters for same letter, higher digit.

| inputlookup hierarchy_lookup.csv 
| append [ 
   | rest /services/authentication/current-context
   | table username
   | rename username as Name
   | lookup hierarchy_lookup.csv Name
   | eval myLevel = Level2
]
| eventstats values(myLevel) as myLevel
| eval myLevelLetter = substr(myLevel,0,1)
| eval myLevelDigit = substr(myLevel,1,1)
| eval LevelLetter = substr(Level2,0,1)
| eval LevelDigit = substr(Level2,1,1)
| where myLevelLetter = LevelLetter AND LevelDigit > myLevelDigit
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...