Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a threshold from lookup and create a default value?

JohnnyMnemonic
Explorer
‎09-05-2023 07:49 AM

Hi, 

I'm trying to create a filter based on a threshold value that is unique for some objects and fixed for the others.

index=main
| loopup thresholds_table.csv object output threshold
| where number > threshold

 

The lookup contains something like:

object threshold
chair    20
pencil  40

 

The problem here is that no all objects are inside the lookup, so I want to fix a threshold number for all other objects, for example I want to fix a threshold of 10 for every object except for those inside the lookup.

I tried these things without success:

index=main
| loopup thresholds_table.csv object output threshold
| eval threshold = coalesce(threshold, 10)
| where number > threshold
index=main
| fillnull value=10 threshold
| loopup thresholds_table.csv object output threshold
| where number > threshold

index=main
| eval threshold = 10
| loopup thresholds_table.csv object output threshold
| where number > threshold

 

The objective is identify when an object reach an X average value, except for those objects that have a higher average value.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 07:53 AM

Hi @JohnnyMnemonic,

if the threshold value is fixed when not present in the lppkup, you can use an eval:

index=main
| loopup thresholds_table.csv object output threshold
| eval threshold=if(isnull(threshold),10,threshold)
| where number > threshold

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 07:53 AM

Hi @JohnnyMnemonic,

if the threshold value is fixed when not present in the lppkup, you can use an eval:

index=main
| loopup thresholds_table.csv object output threshold
| eval threshold=if(isnull(threshold),10,threshold)
| where number > threshold

Ciao.

Giuseppe

Reply
Solved! Jump to solution

JohnnyMnemonic
Explorer
‎09-05-2023 08:19 AM

EDIT: Nevermind, I had an issue in my splunk server that was returning incorrect results, the solution works perfect!

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...