https://community.splunk.com/t5/Splunk-Search/Transaction-Oddities-comparison-field-splitting-click-vs-type/m-p/24089#M4369 <P>This should work (notice the "search" keywork):</P> <PRE><CODE>type=re | transaction VIN | search pressure=30.80 </CODE></PRE> <P>However, because of the transaction, the pressure field is now a multivalued field, and I don't think mathematical operators will work properly against them (because, in programming lingo, I imagine you're basically saying: [10, 30, 50] &gt; 30, which is nonsensical). Something like this should work though</P> <PRE><CODE>type=re | transaction VIN | eval a=mvfilter(pressure &gt; 30) | search a=* </CODE></PRE> <P>There could be a better way out there, but it's escaping me.</P> Tue, 07 Jun 2011 20:58:45 GMT mw 2011-06-07T20:58:45Z https://community.splunk.com/t5/Splunk-Search/Transaction-Oddities-comparison-field-splitting-click-vs-type/m-p/24088#M4368 <P>Yodas, </P> <P>I'm getting odd returns for a transaction in which the final search operator works one way for exact matches (value=3.444), but not for greater than/less than (value&gt;3) searches.</P> <P>Here are 5 example records that refer to an individual car on a lot, and it's individual tire pressures (silly, but bear with me please):</P> <PRE><CODE>type=re subtype=vehicle VIN=123qwe123qwe type=re subtype=re_tire tire=fl VIN=123qwe123qwe pressure=20.34 type=re subtype=re_tire tire=fr VIN=123qwe123qwe pressure=30.80 type=re subtype=re_tire tire=rl VIN=123qwe123qwe pressure=15.22 type=re subtype=re_tire tire=rr VIN=123qwe123qwe pressure=32.56 </CODE></PRE> <P>This set of records is repeated multiple times, always with different values of VIN per each five records.</P> <P>My command, </P> <PRE><CODE>type=re | transaction VIN </CODE></PRE> <P>returns the transaction:</P> <PRE><CODE>type=re subtype=vehicle VIN=123qwe123qwe type=re subtype=re_tire tire=fl VIN=123qwe123qwe pressure=20.34 type=re subtype=re_tire tire=fr VIN=123qwe123qwe pressure=30.80 type=re subtype=re_tire tire=rl VIN=123qwe123qwe pressure=15.22 type=re subtype=re_tire tire=rr VIN=123qwe123qwe pressure=32.56 </CODE></PRE> <P>(Fine and dandy.)</P> <P>The command</P> <PRE><CODE>type=re | transaction VIN | pressure=30.80 </CODE></PRE> <P>returns the transaction:</P> <PRE><CODE>type=re subtype=vehicle VIN=123qwe123qwe type=re subtype=re_tire tire=fl VIN=123qwe123qwe pressure=20.34 type=re subtype=re_tire tire=fr VIN=123qwe123qwe pressure=30.80 type=re subtype=re_tire tire=rl VIN=123qwe123qwe pressure=15.22 type=re subtype=re_tire tire=rr VIN=123qwe123qwe pressure=32.56 </CODE></PRE> <P>(IF, from the original transaction, I click on the k/v pair, <CODE>pressure=30.80</CODE>, but not if I type that exact same k/v pair into the search bar)<BR /> Oddity number one...</P> <P>However, the command</P> <PRE><CODE>type=re | transaction VIN | pressure&gt;30 </CODE></PRE> <P>only returns the two original records:</P> <PRE><CODE> type=re subtype=re_tire tire=fr VIN=123qw e123qwe pressure=30.80 type=re subtype=re_tire tire=rr VIN=123qwe1 23qwe pressure=32.56 </CODE></PRE> <P>So, it seems to ignore the transaction, but it ALSO splits my VIN across two lines. No matter how else I search for thosesubtype=re_tire records, the VIN doesn't split. </P> <P>There might be a few things going on, yes, but if anyone has some cycles to throw into a smart guess, I would be very appreciative.</P> <P>Thanks.</P> Tue, 07 Jun 2011 16:48:01 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Oddities-comparison-field-splitting-click-vs-type/m-p/24088#M4368 blurblebot 2011-06-07T16:48:01Z https://community.splunk.com/t5/Splunk-Search/Transaction-Oddities-comparison-field-splitting-click-vs-type/m-p/24089#M4369 <P>This should work (notice the "search" keywork):</P> <PRE><CODE>type=re | transaction VIN | search pressure=30.80 </CODE></PRE> <P>However, because of the transaction, the pressure field is now a multivalued field, and I don't think mathematical operators will work properly against them (because, in programming lingo, I imagine you're basically saying: [10, 30, 50] &gt; 30, which is nonsensical). Something like this should work though</P> <PRE><CODE>type=re | transaction VIN | eval a=mvfilter(pressure &gt; 30) | search a=* </CODE></PRE> <P>There could be a better way out there, but it's escaping me.</P> Tue, 07 Jun 2011 20:58:45 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Oddities-comparison-field-splitting-click-vs-type/m-p/24089#M4369 mw 2011-06-07T20:58:45Z https://community.splunk.com/t5/Splunk-Search/Transaction-Oddities-comparison-field-splitting-click-vs-type/m-p/24090#M4370 <P>I forgot to add that I had "search" in my last chunk, but your explanation makes lots of sense. It works, and that's good enough for now. Thank you!</P> Tue, 07 Jun 2011 21:04:55 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Oddities-comparison-field-splitting-click-vs-type/m-p/24090#M4370 blurblebot 2011-06-07T21:04:55Z