Yodas,
I'm getting odd returns for a transaction in which the final search operator works one way for exact matches (value=3.444), but not for greater than/less than (value>3) searches.
Here are 5 example records that refer to an individual car on a lot, and it's individual tire pressures (silly, but bear with me please):
type=re subtype=vehicle VIN=123qwe123qwe
type=re subtype=re_tire tire=fl VIN=123qwe123qwe pressure=20.34
type=re subtype=re_tire tire=fr VIN=123qwe123qwe pressure=30.80
type=re subtype=re_tire tire=rl VIN=123qwe123qwe pressure=15.22
type=re subtype=re_tire tire=rr VIN=123qwe123qwe pressure=32.56
This set of records is repeated multiple times, always with different values of VIN per each five records.
My command,
type=re | transaction VIN
returns the transaction:
type=re subtype=vehicle VIN=123qwe123qwe
type=re subtype=re_tire tire=fl VIN=123qwe123qwe pressure=20.34
type=re subtype=re_tire tire=fr VIN=123qwe123qwe pressure=30.80
type=re subtype=re_tire tire=rl VIN=123qwe123qwe pressure=15.22
type=re subtype=re_tire tire=rr VIN=123qwe123qwe pressure=32.56
(Fine and dandy.)
The command
type=re | transaction VIN | pressure=30.80
returns the transaction:
type=re subtype=vehicle VIN=123qwe123qwe
type=re subtype=re_tire tire=fl VIN=123qwe123qwe pressure=20.34
type=re subtype=re_tire tire=fr VIN=123qwe123qwe pressure=30.80
type=re subtype=re_tire tire=rl VIN=123qwe123qwe pressure=15.22
type=re subtype=re_tire tire=rr VIN=123qwe123qwe pressure=32.56
(IF, from the original transaction, I click on the k/v pair, pressure=30.80
, but not if I type that exact same k/v pair into the search bar)
Oddity number one...
However, the command
type=re | transaction VIN | pressure>30
only returns the two original records:
type=re subtype=re_tire tire=fr VIN=123qw
e123qwe pressure=30.80
type=re subtype=re_tire tire=rr VIN=123qwe1
23qwe pressure=32.56
So, it seems to ignore the transaction, but it ALSO splits my VIN across two lines. No matter how else I search for thosesubtype=re_tire records, the VIN doesn't split.
There might be a few things going on, yes, but if anyone has some cycles to throw into a smart guess, I would be very appreciative.
Thanks.
This should work (notice the "search" keywork):
type=re | transaction VIN | search pressure=30.80
However, because of the transaction, the pressure field is now a multivalued field, and I don't think mathematical operators will work properly against them (because, in programming lingo, I imagine you're basically saying: [10, 30, 50] > 30, which is nonsensical). Something like this should work though
type=re | transaction VIN | eval a=mvfilter(pressure > 30) | search a=*
There could be a better way out there, but it's escaping me.
This should work (notice the "search" keywork):
type=re | transaction VIN | search pressure=30.80
However, because of the transaction, the pressure field is now a multivalued field, and I don't think mathematical operators will work properly against them (because, in programming lingo, I imagine you're basically saying: [10, 30, 50] > 30, which is nonsensical). Something like this should work though
type=re | transaction VIN | eval a=mvfilter(pressure > 30) | search a=*
There could be a better way out there, but it's escaping me.
I forgot to add that I had "search" in my last chunk, but your explanation makes lots of sense. It works, and that's good enough for now. Thank you!