topic Re: using greater than comparison on a property is not working in Splunk Search

using greater than comparison on a property is not working

47024 — Fri, 15 Nov 2019 14:50:42 GMT

I am trying to filter my results on a property that is greater than a certain value and it is not returning any results. If I do an equals to comparison it works. Below is my filter criteria and the property outline.

Query:
index="lab" source="*-test" | eval isGood=if('line.message.space-document.elements{}.y'>="1664","true","false") | where isGood="true" | stats count

Below is the format of the event i'm trying to capture:
line: { [-]
message: { [-]
space-document: { [-]
elements: [ [-]
{ [-]
x: 38
y: 1664
}
{ [-]
id: ac5q3ghn
x: 38
y: 708
}
]
}
}
}

Re: using greater than comparison on a property is not working

Sukisen1981 — Fri, 15 Nov 2019 15:54:30 GMT

try this

index="lab" source="*-test" |rex field=_raw "y:(?<y>.*)"|eval isGood=if(y>=1664,"true","false")|..rest of your code

Re: using greater than comparison on a property is not working

47024 — Fri, 15 Nov 2019 17:01:29 GMT

Thank you for the suggestion, but it didn't seem to change the results...however not sure if I coded it correctly:
index="lab" source="-test" | rex field=_raw "y:(?.)" | eval isGood=if(y=1664,"true","false") | where isGood="true" | stats count

Re: using greater than comparison on a property is not working

Sukisen1981 — Fri, 15 Nov 2019 17:04:59 GMT

hi @47024
Remove all code after the rex, are you able to see the values of 'y' returned by the rex? index="lab" source="*-test" |rex field=_raw "y:(?<y>.*)|table y"

Re: using greater than comparison on a property is not working

47024 — Fri, 15 Nov 2019 18:05:19 GMT

No I don't see any results other than just 'y'. For context...I can use > comparison for properties out of one of the other groups...but the elements group is where it is having the problem. I was curious if it was because there can be 1-x elements per event?

https://docs.google.com/drawings/d/16qy44bgdiODiJTFmS7qqicVdvsOYtax57VZ00QKaFks/edit?usp=sharing

Re: using greater than comparison on a property is not working

47024 — Fri, 15 Nov 2019 18:40:36 GMT

This statement returns 2 :
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y="1664" | stats count

This statement returns 0:
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y>="1664" | stats count

Re: using greater than comparison on a property is not working

to4kawa — Sat, 16 Nov 2019 06:31:31 GMT

| makeresults 
| eval _raw ="{\"line\": { \"message\": { \"space-document\": { \"elements\": [ { \"x\": 38, \"y\": 1664 }, { \"id\": \"ac5q3ghn\", \"x\": 38, \"y\": 708 } ] } } } }"
| spath

for this result, y is multivalue.

| makeresults 
| eval _raw ="{\"line\": { \"message\": { \"space-document\": { \"elements\": [ { \"x\": 38, \"y\": 1664 }, { \"id\": \"ac5q3ghn\", \"x\": 38, \"y\": 708 } ] } } } }"
| spath
| eval y='line.message.space-document.elements{}.y'
| eval count = mvcount(mvfilter(y>=1664))
| eventstats sum(count) as Total

If y is counted, it will look like this.