- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am writing a saved search to trigger and alert when a difference between values is higher than a threshold. A simplified version of my search is as follows. This threshold is expected to be a floating point number, and Splunk can't do correct comparison:
| NOOP | stats count|eval var1=2.1|eval var2=2.0|search var1 > var2
==> No results found. Try expanding the time range.
| NOOP | stats count|eval var1=2.1|eval var2=2.0|search var1 < var2
==> count var1 var2
0 2.1 2.0
Did I do something incorrectly?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
| NOOP | stats count|eval var1=2.1|eval var2=2.0|where var1 > var2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all your quick answers. They all work perfectly. I should have posted the question sooner so that I didn't have to spend an hour scratching my head 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use where instead of search
Try this
| NOOP | stats count|eval var1=2.1|eval var2=2.0| where var1 > var2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thenhaque,
use where
instead of search
to compare field values:
| makeresults
| stats count
| eval var1=2.1
| eval var2=2.0
| where var1 < var2
or
| makeresults
| stats count
| eval var1=2.1
| eval var2=2.0
| where var1 > var2
Here is a bit more detail about where
vs search
commands https://answers.splunk.com/answers/50659/whats-the-difference-between-where-and-search-in-the-pipeli...
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This works wonderfully.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
| NOOP | stats count|eval var1=2.1|eval var2=2.0|where var1 > var2