Splunk Filter from Lookup

Thulasinathan_M · ‎09-24-2024

Hi Splunk Experts,
I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible.

Cases:
Lookup Priority value is '5', I've to get the max(Rates) from Priority Values 1 to 5.
Lookup Priority value is '4', I've to get the max(Rates) from Priority Values 1 to 4.
Lookup Priority value is '3', I've to get the max(Rates) from Priority Values 1 to 3.
Lookup Priority value is '1', I've to get the max(Rates) from Priority Values 1.

gcusello · ‎09-24-2024

Hi @Thulasinathan_M ,

please try this:

| inputlookup your_lookup.csv
| stats 
     max((eval(Priority=*, Rate, 0))) AS Rate_5
     max((eval(Priority<5, Rate, 0))) AS Rate_4
     max((eval(Priority<4, Rate, 0))) AS Rate_3
     max((eval(Priority<2, Rate, 0))) AS Rate_1
     BY User

Ciao.

Giuseppe

Thulasinathan_M · ‎09-25-2024

Thanks @gcusello,
But this will create a multiple fields, but I wish to have this in a single field and results duplicated as each entity. So it'll be easy for me to use lookup join

Example Dataset:

USER	Rate	Priority
UX101	1.4	2
UX101	2.3	4
UX342	4.6	5
UX515	7.3	1
UX515	2.1	3

Expecting Output:

USER	Rate	Priority
UX101	1.4	1
UX101	1.4	2
UX101	2.3	3
UX101	2.3	4
UX101	2.3	5
UX342	4.6	1
UX342	4.6	2
UX342	4.6	3
UX342	4.6	4
UX342	4.6	5
UX515	7.3	1
UX515	7.3	2
UX515	7.3	3
UX515	7.3	4
UX515	7.3	5

Splunk Filter from Lookup

lookup

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Splunk Filter from Lookup

lookup

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard