Splunk Search
Highlighted

Passing comparison operators in a variable

Explorer

Is there a way to dynamically pass a comparison operator as a variable without a macro? I am looking to achieve something similar to what is shown below.

| eval number=8
| eval operator=">="
| eval comparison=7
| eval validate=if(number.operator.comparison,"yep","nope")
0 Karma
Highlighted

Re: Passing comparison operators in a variable

SplunkTrust
SplunkTrust

There are only ugly options, e.g. iterating through all operators with case(), or map. What are you trying to achieve?

0 Karma

Re: Passing comparison operators in a variable

Explorer

Hi Martin. I have a kvstore with rows that have a numerical field and an operator field (among others). I would like to loop through those rows and build a dynamic comparison based off of some search results.

In the example above, the field "number" is from an indexed search. The operator and comparison fields are in the kvstore. I would like to be able to dynamically compare the number/comparison fields based on the provided operator value.

The operators could be any standard operator (=,!=,>=, etc...)

0 Karma
Highlighted

Re: Passing comparison operators in a variable

SplunkTrust
SplunkTrust

Considering there only are six common comparison operators = != < <= > >= I'd recommend creating a macro that houses a big case statement.

View solution in original post

Highlighted

Re: Passing comparison operators in a variable

Explorer

Thank you Martin. I was assuming this would be the answer but was hoping for something more concise. I appreciate the help.

0 Karma