topic Re: How to filter a field from the log where the values change in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-filter-a-field-from-the-log-where-the-values-change/m-p/680919#M232896 <P>I recommend using the "where" command:<BR /><BR /></P> <LI-CODE lang="markup">index=indexname sourcetype=eventname | where result1 &gt; 5</LI-CODE> <P><BR /><BR />(note this assumes that result1 is already an extracted field. If not, try this:</P> <LI-CODE lang="markup">index=indexname sourcetype=eventname | rex field=_raw "result1=(?&lt;result1&gt;\d*)" | where result1 &gt; 5</LI-CODE> Sat, 16 Mar 2024 20:19:28 GMT marnall 2024-03-16T20:19:28Z How to filter a field from the log where the values change https://community.splunk.com/t5/Splunk-Search/How-to-filter-a-field-from-the-log-where-the-values-change/m-p/680914#M232895 <P>How to filter a field from the log where the values change for example please see below,</P><P>logfile =(result1=0 result2=5 result3=10 result4=14)&nbsp; at 5AM</P><P>logfile =(result1=8 result2=5 result3=10 result4=14) at 5:10Am</P><P>logfile =(result1=4 result2=5 result3=10 result4=14) at 5:20Am</P><P>logfile =(result1=3 result2=5 result3=10 result4=14) at 5:30Am</P><P>i want query to return result and show when result1 is greater than 5, please help</P><P>Current state im at =index=indexname | search sourcetype=eventname "result1=5" gives results but if i do<BR />index=indexname | search sourcetype=eventname "result1&gt; 5" returns nothing</P><P>&nbsp;</P> Sat, 16 Mar 2024 17:45:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-a-field-from-the-log-where-the-values-change/m-p/680914#M232895 Rajpranar 2024-03-16T17:45:35Z Re: How to filter a field from the log where the values change https://community.splunk.com/t5/Splunk-Search/How-to-filter-a-field-from-the-log-where-the-values-change/m-p/680919#M232896 <P>I recommend using the "where" command:<BR /><BR /></P> <LI-CODE lang="markup">index=indexname sourcetype=eventname | where result1 &gt; 5</LI-CODE> <P><BR /><BR />(note this assumes that result1 is already an extracted field. If not, try this:</P> <LI-CODE lang="markup">index=indexname sourcetype=eventname | rex field=_raw "result1=(?&lt;result1&gt;\d*)" | where result1 &gt; 5</LI-CODE> Sat, 16 Mar 2024 20:19:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-a-field-from-the-log-where-the-values-change/m-p/680919#M232896 marnall 2024-03-16T20:19:28Z Re: How to filter a field from the log where the values change https://community.splunk.com/t5/Splunk-Search/How-to-filter-a-field-from-the-log-where-the-values-change/m-p/680928#M232897 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263556">@marnall</a>&nbsp;this worked perfectly.</P> Sat, 16 Mar 2024 23:54:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-a-field-from-the-log-where-the-values-change/m-p/680928#M232897 Rajpranar 2024-03-16T23:54:23Z