Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where and eval weirdness?

Lowell
Super Champion
‎02-19-2011 12:16 AM

I have a multi-value field called TotalRows (which is in contains a list of values in time order) and I'm trying to determine when the last value is less than the first value as a simple means to detect decreasing trend in the field....

This approach works:

... | eval first_rows=mvindex(TotalRows,0) 
    | eval last_rows=mvindex(TotalRows,-1)
    | where first_rows>last_rows

But when I simply this expression and remove the extra (unwanted) fields, it doesn't work:

... | where mvindex(TotalRows,0) > mvindex(TotalRows,-1)

Any ideas?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎02-19-2011 12:20 AM

Hmm, think I figured it out.

It looks like mvindex must always consider it's return value to be a string. Therefore, forcing it to a number allows the single expression to work:

... | where tonumber(mvindex(TotalRows,0)) > tonumber(mvindex(TotalRows,-1))

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎02-19-2011 12:20 AM

Hmm, think I figured it out.

It looks like mvindex must always consider it's return value to be a string. Therefore, forcing it to a number allows the single expression to work:

... | where tonumber(mvindex(TotalRows,0)) > tonumber(mvindex(TotalRows,-1))
Reply
Solved! Jump to solution

ryhluc01
Communicator
‎03-01-2019 01:58 PM

Hey @Lowell can you select your answer?

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...