https://community.splunk.com/t5/Getting-Data-In/How-to-use-where-clause-with-table-containing-fields-within/m-p/523536#M88402 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Thanks, this works</P> Wed, 07 Oct 2020 21:29:58 GMT nits 2020-10-07T21:29:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-where-clause-with-table-containing-fields-within/m-p/522749#M88287 <P>I have a query which looks like:<BR />index=test "TestRequest" | dedup _time | rex field=_raw "Price\":(?&lt;price&gt;.*?)," | rex field=_raw REQUEST-ID=(?&lt;REQID&gt;.*?)\s | rex field=_raw "Amount\":(?&lt;amount&gt;.*?)}," | rex field=_raw "ItemId\":\"(?&lt;itemId&gt;.*?)\"}" | eval discount=round(exact(price-amount),2) , percent=(discount/price)*100<BR />, time=strftime(_time, "%m-%d-%y %H:%M:%S") | stats list(time) as Time list(itemId) as "Item" list(REQID) as X-REQUEST-ID list(price) as "Original Price" list(amount) as "Test Price" list(discount) as "Dollar Discount" list(percent) as "Percent Override" by _time<BR />[search index=test "UserId=" | rex field=_raw UserId=(?&lt;userId&gt;.*?)# | dedup userId | rex field=_raw X-REQUEST-ID=(?&lt;REQID&gt;.*?)\s | stats list(userId) as "User ID" list(REQID) as X-REQUEST-ID by _time]<BR />| where "Dollar Discount"&gt;=500.00 OR "Percent Override"&gt;=50.00<BR />| table&nbsp; "User ID" Item "Original Price" "Dollar Discount" "Test Price" "Percent Override" Time<BR /><BR />This query throws error as mismatch type for&nbsp;"Dollar Discount"&gt;=500.00 OR "Percent Override"&gt;=50.00<BR />Since my fields in the table have "" e.g.&nbsp;"Dollar Discount" or&nbsp;"Percent Override", it doesn't work. If i replace these fields names without quotes as&nbsp;Dollar_Discount and&nbsp;Percent_Override, it works fine.<BR />how to use a table field with name listed in quotes in where clause?</P> Fri, 02 Oct 2020 20:58:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-where-clause-with-table-containing-fields-within/m-p/522749#M88287 nits 2020-10-02T20:58:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-where-clause-with-table-containing-fields-within/m-p/522752#M88288 <P>Try using single quotes for fields in where clauses</P><LI-CODE lang="markup">index=test "TestRequest" | dedup _time | rex field=_raw "Price\":(?&lt;price&gt;.*?)," | rex field=_raw REQUEST-ID=(?&lt;REQID&gt;.*?)\s | rex field=_raw "Amount\":(?&lt;amount&gt;.*?)}," | rex field=_raw "ItemId\":\"(?&lt;itemId&gt;.*?)\"}" | eval discount=round(exact(price-amount),2) , percent=(discount/price)*100 , time=strftime(_time, "%m-%d-%y %H:%M:%S") | stats list(time) as Time list(itemId) as "Item" list(REQID) as X-REQUEST-ID list(price) as "Original Price" list(amount) as "Test Price" list(discount) as "Dollar Discount" list(percent) as "Percent Override" by _time [search index=test "UserId=" | rex field=_raw UserId=(?&lt;userId&gt;.*?)# | dedup userId | rex field=_raw X-REQUEST-ID=(?&lt;REQID&gt;.*?)\s | stats list(userId) as "User ID" list(REQID) as X-REQUEST-ID by _time] | where 'Dollar Discount'&gt;=500.00 OR 'Percent Override'&gt;=50.00 | table "User ID" Item "Original Price" "Dollar Discount" "Test Price" "Percent Override" Time</LI-CODE> Fri, 02 Oct 2020 21:28:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-where-clause-with-table-containing-fields-within/m-p/522752#M88288 ITWhisperer 2020-10-02T21:28:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-where-clause-with-table-containing-fields-within/m-p/523536#M88402 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Thanks, this works</P> Wed, 07 Oct 2020 21:29:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-where-clause-with-table-containing-fields-within/m-p/523536#M88402 nits 2020-10-07T21:29:58Z