Solved: Where and eval weirdness?

Lowell · ‎02-19-2011

I have a multi-value field called TotalRows (which is in contains a list of values in time order) and I'm trying to determine when the last value is less than the first value as a simple means to detect decreasing trend in the field....

This approach works:

... | eval first_rows=mvindex(TotalRows,0) 
    | eval last_rows=mvindex(TotalRows,-1)
    | where first_rows>last_rows

But when I simply this expression and remove the extra (unwanted) fields, it doesn't work:

... | where mvindex(TotalRows,0) > mvindex(TotalRows,-1)

Any ideas?

Lowell · ‎02-19-2011

Hmm, think I figured it out.

It looks like mvindex must always consider it's return value to be a string. Therefore, forcing it to a number allows the single expression to work:

... | where tonumber(mvindex(TotalRows,0)) > tonumber(mvindex(TotalRows,-1))

View solution in original post

Lowell · ‎02-19-2011

Hmm, think I figured it out.

It looks like mvindex must always consider it's return value to be a string. Therefore, forcing it to a number allows the single expression to work:

... | where tonumber(mvindex(TotalRows,0)) > tonumber(mvindex(TotalRows,-1))

ryhluc01 · ‎03-01-2019

Hey @Lowell can you select your answer?

Where and eval weirdness?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation