Solved: Command 'search' can't compare two floating number...

thenhaque · ‎11-08-2017

I am writing a saved search to trigger and alert when a difference between values is higher than a threshold. A simplified version of my search is as follows. This threshold is expected to be a floating point number, and Splunk can't do correct comparison:

Did I do something incorrectly?

Thanks

HiroshiSatoh · ‎11-08-2017

Try this!

| NOOP | stats count|eval var1=2.1|eval var2=2.0|where var1 > var2

View solution in original post

thenhaque · ‎11-09-2017

Thanks for all your quick answers. They all work perfectly. I should have posted the question sooner so that I didn't have to spend an hour scratching my head 🙂

mayurr98 · ‎11-08-2017

MuS · ‎11-08-2017

Hi thenhaque,

use where instead of search to compare field values:

| makeresults 
| stats count 
| eval var1=2.1 
| eval var2=2.0
| where var1 < var2

or

| makeresults 
| stats count 
| eval var1=2.1 
| eval var2=2.0
| where var1 > var2

Here is a bit more detail about where vs search commands https://answers.splunk.com/answers/50659/whats-the-difference-between-where-and-search-in-the-pipeli...

Hope this helps ...

cheers, MuS

thenhaque · ‎11-09-2017

Thank you. This works wonderfully.

HiroshiSatoh · ‎11-08-2017

Try this!

| NOOP | stats count|eval var1=2.1|eval var2=2.0|where var1 > var2

Command 'search' can't compare two floating numbers

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases