I have a field extraction that comes back with the literal values of 'X%'. Note that the % is part of the value returned. I now need to do searches based on the range of the value of the loss
field.
index=* ping sprint-uplink ( loss>0% AND loss<100% )
Is there a good native way to do this or do I need to eval / regex out the numerical values?
I'm tempted to suggest something like (loss>'0%' AND lost<'100%')
, but am not sure you can compare strings like that. I think you'll need to extract the numeric value. Have a look at convert()
.
I'm tempted to suggest something like (loss>'0%' AND lost<'100%')
, but am not sure you can compare strings like that. I think you'll need to extract the numeric value. Have a look at convert()
.
The convert function is a whole lot cleaner compared to my initial idea of using a regex. Thanks!
I'd suggest changing your field extraction to only extract the numeric value, rather than include the '%' and forcing it to act as a string.
This way you could simply run something similar to your search with: (loss>0 AND loss<100)
Otherwise you are going to need an eval to get a substring, or a rex on field loss ( rex field=loss "(?<loss_num>[^\%]*)\%" ), combined with a search command ( search (loss_num>0 AND loss_num<100) )
If you don't change the extraction, your search will look something like this:
index=* ping sprint-uplink | rex field=loss "(?<loss_num>[^\%]*)\%" | search loss_num>0 AND loss_num<100
I thought about it, but others of my searches depend on it having the percent sign included.. Modifying isn't feasible. The rex you provided is nearly identical to what I use, except I use '\d+'. I was mostly hoping for a native way to handle this kind of conversion.