topic How do I filter string values from a greater-than-or-equal-to numerical comparison? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-string-values-from-a-greater-than-or-equal-to/m-p/468446#M131900 <P>I have a field in my query called <CODE>Attempt</CODE> that is either a non-negative integer or a special value "null". I use the special "null" string value because I am creating a summary query and don't want to lose events for which fields aren't present. I therefore use the <CODE>fillnull</CODE> operator that you can see in the query below:</P> <PRE><CODE>index="fraud" sourcetype=strategy-engine ActivityStep=rs | rex field=_raw "\"rescoreAttemptNumber\":\"(?&lt;Attempt&gt;\d*)\"}," | rex field=_raw "\"riskRecommendationQuality\":{\"status\":\"(?&lt;Strength&gt;\w*)\"," | fillnull value=null ActivityName Attempt IrisRoutingKey OperationName ProductName Strength | stats count by ActivityName,Attempt,IrisRoutingKey,OperationName,ProductName,Strength | search (OperationName=compute OR OperationName=executeRuleSet) AND Attempt&gt;= 10 AND Strength="DEGRADED" </CODE></PRE> <P>My problem is really the <CODE>Attempt&gt;=10</CODE> term because I see both "null" and "10" values in my results table. My table returned is the table below:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7854i47898FF39B0990D1/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Ideally, I would like to filter such results where <CODE>Attempt=null</CODE> without using the term <CODE>Attempt&gt;=10 AND Attempt!=null</CODE> because the first part of the query (up to and including the <CODE>stats</CODE> operator) is actually a new general-purpose summary query. I suspect that people using this summary query will often forget to use the <CODE>Attempt!="null"</CODE> and just end up with extraneous results if I require them to use this term.</P> <P>Is there any way to get Splunk to filter out non-numerical values from a <CODE>LHS&gt;=RHS</CODE> style-comparison? Your help would be greatly appreciated.</P> Wed, 30 Oct 2019 21:58:18 GMT entpnerd 2019-10-30T21:58:18Z How do I filter string values from a greater-than-or-equal-to numerical comparison? https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-string-values-from-a-greater-than-or-equal-to/m-p/468446#M131900 <P>I have a field in my query called <CODE>Attempt</CODE> that is either a non-negative integer or a special value "null". I use the special "null" string value because I am creating a summary query and don't want to lose events for which fields aren't present. I therefore use the <CODE>fillnull</CODE> operator that you can see in the query below:</P> <PRE><CODE>index="fraud" sourcetype=strategy-engine ActivityStep=rs | rex field=_raw "\"rescoreAttemptNumber\":\"(?&lt;Attempt&gt;\d*)\"}," | rex field=_raw "\"riskRecommendationQuality\":{\"status\":\"(?&lt;Strength&gt;\w*)\"," | fillnull value=null ActivityName Attempt IrisRoutingKey OperationName ProductName Strength | stats count by ActivityName,Attempt,IrisRoutingKey,OperationName,ProductName,Strength | search (OperationName=compute OR OperationName=executeRuleSet) AND Attempt&gt;= 10 AND Strength="DEGRADED" </CODE></PRE> <P>My problem is really the <CODE>Attempt&gt;=10</CODE> term because I see both "null" and "10" values in my results table. My table returned is the table below:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7854i47898FF39B0990D1/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Ideally, I would like to filter such results where <CODE>Attempt=null</CODE> without using the term <CODE>Attempt&gt;=10 AND Attempt!=null</CODE> because the first part of the query (up to and including the <CODE>stats</CODE> operator) is actually a new general-purpose summary query. I suspect that people using this summary query will often forget to use the <CODE>Attempt!="null"</CODE> and just end up with extraneous results if I require them to use this term.</P> <P>Is there any way to get Splunk to filter out non-numerical values from a <CODE>LHS&gt;=RHS</CODE> style-comparison? Your help would be greatly appreciated.</P> Wed, 30 Oct 2019 21:58:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-string-values-from-a-greater-than-or-equal-to/m-p/468446#M131900 entpnerd 2019-10-30T21:58:18Z Re: How do I filter string values from a greater-than-or-equal-to numerical comparison? https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-string-values-from-a-greater-than-or-equal-to/m-p/468447#M131901 <P>@entpnerd ,</P> <P>Try using <CODE>where</CODE> for comparison which should filter out the result &gt;=10 ignoring the null</P> Thu, 31 Oct 2019 03:22:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-string-values-from-a-greater-than-or-equal-to/m-p/468447#M131901 renjith_nair 2019-10-31T03:22:47Z