Hi Folks, I have a problem with the search
source="source" |
rex field= ...|
eval value= (part of regex command)|
eval result= [ | inputcsv CSV_DATA.CSV |
eval x=if (minvalue <= value AND maxvalue >= value, returnstuff, "Nothing") |
return $x] |
stats count by result
minvalue And maxvalue are fields from the CSV. "value" is from the outer search. "returnstuff" is a field from the CSV.
Can Somebody please tell me what I do wrong that I don't get some results. This would be very Helpfull
One option that can be tried is using join (may be bit slower). Assuming the value of the field 'value' is always within the range mentioned in the CSV_DATA.CSV file, this should work.
source="source" |
rex field= ...|
eval value= (part of regex command)|
|eval joinfield=1 | join max=0 joinfield [ | inputcsv CSV_DATA.CSV | eval joinfield=1 | table joinfield, min, max, valueA ]
| eval result=if (minvalue <= value AND maxvalue >= value, valueA , "Nothing") | where result!="Nothing" |
stats count by result
If there are cases where the value of the field 'value' may not fall into any of the range (and that is the case where you want to return 'Nothing', then try this:
source="source" |
rex field= ...|
eval value= (part of regex command)|
|eval joinfield=1 | join max=0 joinfield [ | inputcsv CSV_DATA.CSV | eval joinfield=1 | eventstats min(min) as lowercutoff max(max) as uppercutoff | table joinfield, min, max, valueA ,lowercutoff ,uppercutoff ]
| eval result=case(minvalue <= value AND maxvalue >= value, valueA ,lowercutoff > value OR value > uppercutoff, "Nothing" ,1=1,"Do Not Use") | where result!="Do Not Use" |
stats count by result
The CSV_Data.CSV contains multiple lines. It has a min and a max value and several statements. The eval value is a sum function that adds the values out of the rex field= command. The inner search should return one values of the CSV_Data.CSV
the data CSV looks like this
min max valueA
1111111111111 1221111111111 AA
1222111111111 1311111111111 CC
.
.
.
What I try to return is the valueA field value between the min and the max functions and at least count the values of the inner searches at the outer Search.
what are you trying to accomplish? If you could explain what you want to get, and a little about the data, then the community could probably help.
Although I do think there is something wrong with your return statement - that is probably only part of the problem!
Does CSV_DATA.CSV file contains only one row or multiple?