Splunk Search

Inner Search between values

Explorer

Hi Folks, I have a problem with the search

source="source" | 
rex field= ...|
eval value=  (part of regex command)|
eval result= [ | inputcsv CSV_DATA.CSV |
eval x=if (minvalue <= value AND maxvalue >= value, returnstuff, "Nothing") | 
return $x] | 
stats count by result

minvalue And maxvalue are fields from the CSV. "value" is from the outer search. "returnstuff" is a field from the CSV.
Can Somebody please tell me what I do wrong that I don't get some results. This would be very Helpfull

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

One option that can be tried is using join (may be bit slower). Assuming the value of the field 'value' is always within the range mentioned in the CSV_DATA.CSV file, this should work.

source="source" | 
rex field= ...|
eval value=  (part of regex command)|
|eval joinfield=1 | join max=0 joinfield [ | inputcsv CSV_DATA.CSV | eval joinfield=1  | table joinfield, min, max, valueA ]
| eval result=if (minvalue <= value AND maxvalue >= value, valueA , "Nothing") | where result!="Nothing" | 
stats count by result

If there are cases where the value of the field 'value' may not fall into any of the range (and that is the case where you want to return 'Nothing', then try this:

source="source" | 
    rex field= ...|
    eval value=  (part of regex command)|
    |eval joinfield=1 | join max=0 joinfield [ | inputcsv CSV_DATA.CSV | eval joinfield=1 | eventstats min(min) as lowercutoff max(max) as uppercutoff | table joinfield, min, max, valueA ,lowercutoff ,uppercutoff  ]
    | eval result=case(minvalue <= value AND maxvalue >= value, valueA ,lowercutoff > value OR value > uppercutoff, "Nothing" ,1=1,"Do Not Use") | where result!="Do Not Use" | 
    stats count by result
0 Karma

Explorer

The CSV_Data.CSV contains multiple lines. It has a min and a max value and several statements. The eval value is a sum function that adds the values out of the rex field= command. The inner search should return one values of the CSV_Data.CSV
the data CSV looks like this

min                 max              valueA      
1111111111111       1221111111111     AA           
1222111111111       1311111111111     CC
.
.
.

What I try to return is the valueA field value between the min and the max functions and at least count the values of the inner searches at the outer Search.

0 Karma

Legend

what are you trying to accomplish? If you could explain what you want to get, and a little about the data, then the community could probably help.

Although I do think there is something wrong with your return statement - that is probably only part of the problem!

0 Karma

SplunkTrust
SplunkTrust

Does CSV_DATA.CSV file contains only one row or multiple?

0 Karma