Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparison of two date fields gives bad result

niamurph
Explorer
‎06-19-2017 12:40 AM

I use the following query in an attempt to view a subset of the file test10UniqueActiveUsers.csv

|inputlookup test10UniqueActiveUsers.csv | eval t=relative_time(now(), "-200d@d") | eval fa=strptime(firstactivity, "%s") | search "fa"<="t" |table fa, t, firstactivity

However the clause "fa"<="t" is always true and it returns the whole table.
If I do not use the generated ield t and instead put in the exact numeric value the it works fine. So 

|inputlookup test10UniqueActiveUsers.csv | eval t=relative_time(now(), "-200d@d") | eval fa=strptime(firstactivity, "%s") | search "fa"<=1480550400.0 |table fa, t, firstactivity

works perfectly for >= or <=.
In the output table I can see that t is in fact equal to 1480550400.0, so the two queries above should be exactly equivalent.

The only thing I can think of is that one of the fields might have an odd type like a string, and a number string comparison is happening, but I do not know how to confirm or fix that.

For the first query where the comparison is always true the output is:

fa                            t      firstactivity  
1484407682.000000   1480550400.000000   1484407682
1479115786.000000   1480550400.000000   1479115786
1484531129.000000   1480550400.000000   1484531129
1481212575.000000   1480550400.000000   1481212575
1490712727.000000   1480550400.000000   1490712727
1482140767.000000   1480550400.000000   1482140767
1476115342.000000   1480550400.000000   1476115342
1484696713.000000   1480550400.000000   1484696713
1489640643.000000   1480550400.000000   1489640643
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-19-2017 08:06 AM

When comparing the values of two fields, do not use search, use where. 

 | where fa<=t

The search keyword assumes the item on the left is a field name and the item on the right is a value. The where keyword allows both sides to be evaluated.

See the section on comparing two fields, midway down this page...

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Search

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-19-2017 08:06 AM

When comparing the values of two fields, do not use search, use where. 

 | where fa<=t

The search keyword assumes the item on the left is a field name and the item on the right is a value. The where keyword allows both sides to be evaluated.

See the section on comparing two fields, midway down this page...

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Search

Reply
Solved! Jump to solution

niamurph
Explorer
‎06-19-2017 08:11 AM

Thanks - that fixed it.

Reply
Solved! Jump to solution

3no
Communicator
‎06-19-2017 05:35 AM

Hi,

You can use tonumber on both of your field to be sure they are Integer : 

| eval myInt = tonumber(your_field)

3no.

0 Karma
Reply
Solved! Jump to solution

niamurph
Explorer
‎06-19-2017 06:30 AM

I tried that and nothing changed - maybe my theory about the field type is wrong and the cause is something else. I am baffled !

0 Karma
Reply
Solved! Jump to solution

3no
Communicator
‎06-19-2017 06:54 AM

Try with :
| search fa<=t (without the "")

Reply
Solved! Jump to solution

niamurph
Explorer
‎06-19-2017 07:46 AM

Sorry - I tried that as well. No success. I only added the " s when the version without failed !!

0 Karma
Reply
Solved! Jump to solution

niamurph
Explorer
‎06-19-2017 08:12 AM

Oh actually I have it working onw, and it needs the " removed alright - but the original cause was the fact that I used 'search' instead of 'where'

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...