https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/132999#M36324 <P>How do you - as a human - determine the number of times AQ2 has been greater than AQ1 in your example table at the bottom of the post? I see no timestamp with both values set, so I can't make a comparison in my head - that's before trying to make Splunk do it for me.</P> Fri, 31 Jan 2014 20:42:20 GMT martin_mueller 2014-01-31T20:42:20Z https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/132998#M36323 <P>I have a query Q1 which is used to collect avg over 10 days.Say the average is AvgQ1 100. I have another query Q2 which collects 5 min samples over 2 different weekend days for the avg. We have say a few values for avg say AvgQ2: 50,60,70,80,90,100,110,120,130,140,150 for example. I want to check how many values in this exceed the avg found above as 100. Things are okay when I have 2 queries and do in manually. But I have to automate this. So I have to use variables than hardcoded values. For example</P> <P>The normal way to check when values are exceeded in Q2 results above is:</P> <P>| stats count(eval(AvgQ2 &gt;= 100)) as countoverlimit --&gt;This works when I do it manually</P> <P>| stats count(eval(AvgQ2 &gt;= AvgQ1 )) as countoverlimt --&gt; When this is constant is treated as variable to automate it, I have issues, because splunk gives error for that construct</P> <P>The other way is to use different construct</P> <P>| where AvgQ2 &gt; 100 | stats count as countoverlimit --&gt; This works with hard coded value</P> <P>| where AvgQ2 &gt; AvgQ1 | stats count as countoverlimit --&gt; When this constant is treated as variable to automate it, there seem issues, since splunk gives error for that construct.</P> <P>Lets say when you store in a csv file and use it in Q2, it will look like this.</P> <P>sourcetype="yoursourcetypewiththenumbers" [| inputlookup AvgQ1.csv | fields AvgQ1 ] --&gt; This works as usual and depends on where you use it. This will become the below and works.</P> <P>sourcetype="yoursourcetypewiththenumbers" 100</P> <P>But what if want to use this within where clause?</P> <P>| where AvgQ2 &gt; AvgQ1 . Inside where clause if I used the above construct, it doesnt work since splunk will give error.</P> <P>| where AvgQ2 &gt; [| inputlookup AvgQ1.csv | fields AvgQ1 ]. Also this wont work either since its within where clause</P> <P>The same with eval</P> <P>| stats count(eval(AvgQ2 &gt;= [| inputlookup AvgQ1.csv | fields AvgQ1 ] )) as countoverlimt --&gt; This wont work either.</P> <P>Other options are to store these values in 2 different csv files. Either as csv or lookup usage.</P> <P>Then I can also combine the results into 1 csv or lookup file to simplify it. The first line will be from Q1 result. The rest will be from Q2 result. I can reference the first value as first(AvgQ1). But I cant use this as variable in splunk eval and where constructs as above because it has a variable construct rather than hardcoded value. </P> <P>Here is the combined csv file with values.</P> <OL> <LI>time,AvgQ1,AvgQ2<BR /></LI> <LI>t1,100,</LI> <LI>t2, ,50</LI> <LI>t3, ,60</LI> <LI>t4, ,70</LI> <LI> , ,</LI> <LI> , ,</LI> <LI>tx , , 100</LI> <LI>ty , , 150</LI> </OL> <P>How would the query be written to get number of times AvgQ2 values is over AvgQ1?</P> <P>The result should be 110,120,130,140,150 which is count of 5?</P> <P>Any help will be appreciated. I hope I can get this to automate.</P> Fri, 31 Jan 2014 06:39:16 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/132998#M36323 iTechEvent 2014-01-31T06:39:16Z https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/132999#M36324 <P>How do you - as a human - determine the number of times AQ2 has been greater than AQ1 in your example table at the bottom of the post? I see no timestamp with both values set, so I can't make a comparison in my head - that's before trying to make Splunk do it for me.</P> Fri, 31 Jan 2014 20:42:20 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/132999#M36324 martin_mueller 2014-01-31T20:42:20Z https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/133000#M36325 <P>Try this</P> <PRE><CODE>&lt;your query 2 giving field AvgQ2, multiple events&gt; | table AvgQ2 | eval joinfield=1 | join joinfield [search &lt;your query 1 giving single value AvgQ1&gt; | table AvgQ1 | eval joinfield=1] | fields - joinfield | where AvgQ2 &gt; AvgQ1 </CODE></PRE> <P>This should give you all the AvgQ2 values which are higher than AvgQ1. To get count your can further append "| stats count".</P> Fri, 31 Jan 2014 22:59:59 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/133000#M36325 somesoni2 2014-01-31T22:59:59Z https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/133001#M36326 <P>I tried it and it works great. Thanks for your help.</P> Sun, 02 Feb 2014 08:32:13 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-when-using-variable-instead-of-constant-in-splunk/m-p/133001#M36326 iTechEvent 2014-02-02T08:32:13Z