Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to String Compare?

chengyu
Path Finder
‎05-06-2015 12:16 AM

Hi Sir:
My Raw data CurrentPrice,VendorPrice1...is string not number, so i use convert change fields attribute. I hope VendorPrice1 < CurrentPrice or VendorPrice2 < CurrentPrice or VendorPrice3 < CurrentPrice appear data and highlights red color. If use ... |search VendorPrice1 < 0.3345 | ... is fine, if use |search VendorPrice1 < CurrentPrice| data is error, It can not seem to use than the size of the string, should can i do? Thank you.

My RAW data:
CurrentPrice VendorPrice1 VendorPrice2 VendorPrice3
.3345 .3303 .3302 .3305

sourcetype=xxx Status=Approved PartNo=$PartNo$ VendorCode=$VendorCode$ | Convert num(CurrentPrice) as CurrentPrice,num(VendorPrice1) as VendorPrice1,num(VendorPrice2) as VendorPrice2,,num(VendorPrice3) as VendorPrice3 | search ((VendorPrice1 < CurrentPrice) OR (VendorPrice2 < CurrentPrice) OR (VendorPrice3 < CurrentPrice) ) |stats values(CurrentPrice) values(VendorPrice1) values(VendorPrice2) values(VendorPrice3) by RfqNo,PartNo,VendorCode

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎05-06-2015 03:42 AM

In your case since you are comparing values in a field what you want to use is where not search as in

... | where VendorPrice1 &lt; CurrentPrice | ...

The search command like you've used it WILL work if you put in values as you've seen

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chengyu
Path Finder
‎05-06-2015 04:44 AM

Hi Runals:

         I have try where command | where VendorPrice1 &lt; CurrentPrice |, result still  the same.
0 Karma
Reply
Solved! Jump to solution

chengyu
Path Finder
‎05-07-2015 07:28 PM

I misplaced where command. Sorry, already resolve.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-06-2015 03:46 AM

Hello! When you use Values (X), The order of the values is lexicographical. Try the list function as follows and let me know what happen:

sourcetype=xxx Status=Approved PartNo=$PartNo$ VendorCode=$VendorCode$ | Convert num(CurrentPrice) as CurrentPrice,num(VendorPrice1) as VendorPrice1,num(VendorPrice2) as VendorPrice2,,num(VendorPrice3) as VendorPrice3 | search ((VendorPrice1 &lt; CurrentPrice) OR (VendorPrice2 &lt; CurrentPrice) OR (VendorPrice3 &lt; CurrentPrice) ) |stats list(CurrentPrice) list(VendorPrice1) list(VendorPrice2) list(VendorPrice3) by RfqNo,PartNo,VendorCode
SGF
0 Karma
Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎05-06-2015 03:42 AM

In your case since you are comparing values in a field what you want to use is where not search as in

... | where VendorPrice1 &lt; CurrentPrice | ...

The search command like you've used it WILL work if you put in values as you've seen

0 Karma
Reply
Solved! Jump to solution

vganjare
Builder
‎05-06-2015 12:59 AM

Is there any value of the CurrentPrice which is lesser than any of the VendorPrices? In current example, the current price value .3345 is largest among all the prices.

Thanks!!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...