Hi guys, quick question:
I have stats for users that have unique account ids. I want to search events registered only to specific group of accounts. For example, if I have 1,000 account ids (each constructed out of 7 digits), I want to display results for account ids below certain value.
Now I have search query that displays all of them. When I add "field < value" to the query, splunk shows me message "No results found". By "field" I mean specific word, in my case it's "account_id", and by "value" I mean specific number of account that I want results below it (for example I want results for accounts below 1085382). So only by adding this search parameter I receive no results. What should I do?
Thank you for your help.
I found the problem - for some reason the account_id field is multi-valued, it holds the account id twice. So after using | eval account_id0=mvindex(account_id,0) | where account_id0 < number | the results seem to be displayed correctly.
This is a common problem in splunk in Statistics search. Some of my data appeared twice so I had to do such changes before to other fields as well.
Anyway, thank you all for the help.
Yes, I do. The field is fine. I can search for specific id by inserting parameter account_id = 'number'.
In this case I receive results for this id. If for the same exact search I change = with < or > the search fails and I see message "No results".
You cannot use the quotes in the way you just did in the comment above.
will not work unless that exact string actually exists in an event.
However, if your events look like this;
2014-02-19 11:22:33 userid=1234 blah blah
you can search for the literal string "userid=1234", but not "userid<1500".
Could that be the issue?
I see, this is exactly what I use. It is similar to what MuS recommended. I use "account_id < number" in the same search window with index and sourcetype. And I also tried outside with | where...
Nothing works so far. And I know that I do it right because when I use account_id = number, equal to specific id, then I get results
This was just an example of how the search language works. The sample data I used is from the
_internal index, and all Splunk installations have that, so you can test the query by cut-and-paste.
Thank you for answers. The first solution by MuS didn't work. I received the same message.
Regarding the solution by kristian.kolb, I am not quite sure i understand it. I already have index , sourcetype and status fields. I write for them specific values that are relevant fort my search.
What I am looking for is the way to filter those results by account id numbers (not by number of ids, but by specific id numbers, if you understand what I mean).
append (without the dots, but include the
|) this to your existing search:
... | where account_id < "1085382" ...
This will return all
account_id's which are less then
hope this helps ...
Strange, this is what I see in the error details.
In any case I found the problem - for some reason the account_id field is multi-valued, it holds the account id twice. So after using | where account_id0 < number | the results seem to be displayed correctly.
let me explain more. the service is games, played by users. I do search for number of game plays and number of users, per each game. In the results I receive list of games and each has stats for how many game plays and how many users played the game.
What I want to filter, is the results from users that have id number higher than one I want. Or vice-versa: lower than what I want.
So the original search is not for account ids, I just want my results for specific account ids. Hope I clarified this a bit.