Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to String Compare?

chengyu
Path Finder
‎05-06-2015 12:16 AM

Hi Sir:
My Raw data CurrentPrice,VendorPrice1...is string not number, so i use convert change fields attribute. I hope VendorPrice1 < CurrentPrice or VendorPrice2 < CurrentPrice or VendorPrice3 < CurrentPrice appear data and highlights red color. If use ... |search VendorPrice1 < 0.3345 | ... is fine, if use |search VendorPrice1 < CurrentPrice| data is error, It can not seem to use than the size of the string, should can i do? Thank you.

My RAW data:
CurrentPrice VendorPrice1 VendorPrice2 VendorPrice3
.3345 .3303 .3302 .3305

sourcetype=xxx Status=Approved PartNo=$PartNo$ VendorCode=$VendorCode$ | Convert num(CurrentPrice) as CurrentPrice,num(VendorPrice1) as VendorPrice1,num(VendorPrice2) as VendorPrice2,,num(VendorPrice3) as VendorPrice3 | search ((VendorPrice1 < CurrentPrice) OR (VendorPrice2 < CurrentPrice) OR (VendorPrice3 < CurrentPrice) ) |stats values(CurrentPrice) values(VendorPrice1) values(VendorPrice2) values(VendorPrice3) by RfqNo,PartNo,VendorCode

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎05-06-2015 03:42 AM

In your case since you are comparing values in a field what you want to use is where not search as in

... | where VendorPrice1 &lt; CurrentPrice | ...

The search command like you've used it WILL work if you put in values as you've seen

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chengyu
Path Finder
‎05-06-2015 04:44 AM

Hi Runals:

         I have try where command | where VendorPrice1 &lt; CurrentPrice |, result still  the same.
0 Karma
Reply
Solved! Jump to solution

chengyu
Path Finder
‎05-07-2015 07:28 PM

I misplaced where command. Sorry, already resolve.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-06-2015 03:46 AM

Hello! When you use Values (X), The order of the values is lexicographical. Try the list function as follows and let me know what happen:

sourcetype=xxx Status=Approved PartNo=$PartNo$ VendorCode=$VendorCode$ | Convert num(CurrentPrice) as CurrentPrice,num(VendorPrice1) as VendorPrice1,num(VendorPrice2) as VendorPrice2,,num(VendorPrice3) as VendorPrice3 | search ((VendorPrice1 &lt; CurrentPrice) OR (VendorPrice2 &lt; CurrentPrice) OR (VendorPrice3 &lt; CurrentPrice) ) |stats list(CurrentPrice) list(VendorPrice1) list(VendorPrice2) list(VendorPrice3) by RfqNo,PartNo,VendorCode
SGF
0 Karma
Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎05-06-2015 03:42 AM

In your case since you are comparing values in a field what you want to use is where not search as in

... | where VendorPrice1 &lt; CurrentPrice | ...

The search command like you've used it WILL work if you put in values as you've seen

0 Karma
Reply
Solved! Jump to solution

vganjare
Builder
‎05-06-2015 12:59 AM

Is there any value of the CurrentPrice which is lesser than any of the VendorPrices? In current example, the current price value .3345 is largest among all the prices.

Thanks!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...