https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57963#M14162 <P>I tried this </P> <P>search dedup AvgOut,AvgOutQNOW | where AvgOutQNOW&gt;AvgOut</P> Mon, 09 Sep 2013 15:59:24 GMT TiagoMatos 2013-09-09T15:59:24Z https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57960#M14159 <P>Hello, I have a table that returns with these fields: AvgLow and AvgLowNOW, but they appear many times, like this</P> <P>AvgLow AvgLowNOW<BR /> a b<BR /> a b<BR /> a b<BR /> a b<BR /> a b</P> <P>I need to create an alert for when AvgLowNOW is greater then AvgLow. But in custome search condition with "search AvgLowNOW&gt;AvgLow", I catch no events. What can I do to solve this?</P> <P>Thank you</P> Mon, 09 Sep 2013 15:22:52 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57960#M14159 TiagoMatos 2013-09-09T15:22:52Z https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57961#M14160 <P>Try if() or case() eval functions<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Eval">http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Eval</A></P> <UL> <LI>hypothetical example:</LI> <LI>index=appmgmt | eval x=if(status&gt;=status_description,1,0) | table x</LI> </UL> Mon, 09 Sep 2013 15:56:37 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57961#M14160 wagnerbianchi 2013-09-09T15:56:37Z https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57962#M14161 <P>I'm Portuguese, but on my work place I don't have access to skype.</P> Mon, 09 Sep 2013 15:58:12 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57962#M14161 TiagoMatos 2013-09-09T15:58:12Z https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57963#M14162 <P>I tried this </P> <P>search dedup AvgOut,AvgOutQNOW | where AvgOutQNOW&gt;AvgOut</P> Mon, 09 Sep 2013 15:59:24 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57963#M14162 TiagoMatos 2013-09-09T15:59:24Z https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57964#M14163 <P>Is that work? look the example I've just sent...</P> Mon, 09 Sep 2013 16:02:21 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57964#M14163 wagnerbianchi 2013-09-09T16:02:21Z https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57965#M14164 <P>Ok thank you!</P> Mon, 09 Sep 2013 16:21:10 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57965#M14164 TiagoMatos 2013-09-09T16:21:10Z https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57966#M14165 <P>Hi Tiago,</P> <P>From your comments in the other answer, it looks as though you're nearly there. The <CODE>where</CODE> function is definitely your friend.</P> <PRE><CODE>&lt;base search&gt; | where AvgLow &lt; AvgLowNOW </CODE></PRE> <P>This will return all results where <CODE>AvgLowNOW</CODE> is greater than <CODE>AvgLow</CODE> (no need to <CODE>dedup</CODE>)</P> <P><STRONG>Reference:</STRONG></P> <UL> <LI><CODE>where</CODE>: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where</A></LI> </UL> Tue, 10 Sep 2013 11:49:55 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Condition/m-p/57966#M14165 rturk 2013-09-10T11:49:55Z