Solved: Command 'search' can't compare two floating number...

thenhaque · ‎11-08-2017

I am writing a saved search to trigger and alert when a difference between values is higher than a threshold. A simplified version of my search is as follows. This threshold is expected to be a floating point number, and Splunk can't do correct comparison:

Did I do something incorrectly?

Thanks

HiroshiSatoh · ‎11-08-2017

Try this!

| NOOP | stats count|eval var1=2.1|eval var2=2.0|where var1 > var2

View solution in original post

thenhaque · ‎11-09-2017

Thanks for all your quick answers. They all work perfectly. I should have posted the question sooner so that I didn't have to spend an hour scratching my head 🙂

mayurr98 · ‎11-08-2017

MuS · ‎11-08-2017

Hi thenhaque,

use where instead of search to compare field values:

| makeresults 
| stats count 
| eval var1=2.1 
| eval var2=2.0
| where var1 < var2

or

| makeresults 
| stats count 
| eval var1=2.1 
| eval var2=2.0
| where var1 > var2

Here is a bit more detail about where vs search commands https://answers.splunk.com/answers/50659/whats-the-difference-between-where-and-search-in-the-pipeli...

Hope this helps ...

cheers, MuS

thenhaque · ‎11-09-2017

Thank you. This works wonderfully.

HiroshiSatoh · ‎11-08-2017

Try this!

| NOOP | stats count|eval var1=2.1|eval var2=2.0|where var1 > var2

Command 'search' can't compare two floating numbers

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...