Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Inner Search between values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inner Search between values
Hi Folks, I have a problem with the search
source="source" |
rex field= ...|
eval value= (part of regex command)|
eval result= [ | inputcsv CSV_DATA.CSV |
eval x=if (minvalue <= value AND maxvalue >= value, returnstuff, "Nothing") |
return $x] |
stats count by result
minvalue And maxvalue are fields from the CSV. "value" is from the outer search. "returnstuff" is a field from the CSV.
Can Somebody please tell me what I do wrong that I don't get some results. This would be very Helpfull
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One option that can be tried is using join (may be bit slower). Assuming the value of the field 'value' is always within the range mentioned in the CSV_DATA.CSV file, this should work.
source="source" |
rex field= ...|
eval value= (part of regex command)|
|eval joinfield=1 | join max=0 joinfield [ | inputcsv CSV_DATA.CSV | eval joinfield=1 | table joinfield, min, max, valueA ]
| eval result=if (minvalue <= value AND maxvalue >= value, valueA , "Nothing") | where result!="Nothing" |
stats count by result
If there are cases where the value of the field 'value' may not fall into any of the range (and that is the case where you want to return 'Nothing', then try this:
source="source" |
rex field= ...|
eval value= (part of regex command)|
|eval joinfield=1 | join max=0 joinfield [ | inputcsv CSV_DATA.CSV | eval joinfield=1 | eventstats min(min) as lowercutoff max(max) as uppercutoff | table joinfield, min, max, valueA ,lowercutoff ,uppercutoff ]
| eval result=case(minvalue <= value AND maxvalue >= value, valueA ,lowercutoff > value OR value > uppercutoff, "Nothing" ,1=1,"Do Not Use") | where result!="Do Not Use" |
stats count by result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The CSV_Data.CSV contains multiple lines. It has a min and a max value and several statements. The eval value is a sum function that adds the values out of the rex field= command. The inner search should return one values of the CSV_Data.CSV
the data CSV looks like this
min max valueA
1111111111111 1221111111111 AA
1222111111111 1311111111111 CC
.
.
.
What I try to return is the valueA field value between the min and the max functions and at least count the values of the inner searches at the outer Search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what are you trying to accomplish? If you could explain what you want to get, and a little about the data, then the community could probably help.
Although I do think there is something wrong with your return statement - that is probably only part of the problem!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does CSV_DATA.CSV file contains only one row or multiple?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
