Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a threshold from lookup and create a default value?

JohnnyMnemonic
Explorer
‎09-05-2023 07:49 AM

Hi, 

I'm trying to create a filter based on a threshold value that is unique for some objects and fixed for the others.

index=main
| loopup thresholds_table.csv object output threshold
| where number > threshold

 

The lookup contains something like:

object threshold
chair    20
pencil  40

 

The problem here is that no all objects are inside the lookup, so I want to fix a threshold number for all other objects, for example I want to fix a threshold of 10 for every object except for those inside the lookup.

I tried these things without success:

index=main
| loopup thresholds_table.csv object output threshold
| eval threshold = coalesce(threshold, 10)
| where number > threshold
index=main
| fillnull value=10 threshold
| loopup thresholds_table.csv object output threshold
| where number > threshold

index=main
| eval threshold = 10
| loopup thresholds_table.csv object output threshold
| where number > threshold

 

The objective is identify when an object reach an X average value, except for those objects that have a higher average value.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 07:53 AM

Hi @JohnnyMnemonic,

if the threshold value is fixed when not present in the lppkup, you can use an eval:

index=main
| loopup thresholds_table.csv object output threshold
| eval threshold=if(isnull(threshold),10,threshold)
| where number > threshold

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 07:53 AM

Hi @JohnnyMnemonic,

if the threshold value is fixed when not present in the lppkup, you can use an eval:

index=main
| loopup thresholds_table.csv object output threshold
| eval threshold=if(isnull(threshold),10,threshold)
| where number > threshold

Ciao.

Giuseppe

Reply
Solved! Jump to solution

JohnnyMnemonic
Explorer
‎09-05-2023 08:19 AM

EDIT: Nevermind, I had an issue in my splunk server that was returning incorrect results, the solution works perfect!

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...