Solved: Why am I yielding an error with Where Statement fo...

blablabla · ‎07-20-2022

Hello,

I am experiencing an interesting Issue. I am trying to filter for a specific value in a numeric field. Following statement works finde:

index="IndexA" 
| eval A.distance=trim('A.distance',"'") 
| eval A.distance='A.distance'/100 
| search A.distance=1

If I am trying to replace the search with a where, I am getting the Error "Error in 'where' command: Type checking failed. The '==' operator received different types."

index="IndexA" 
| eval A.distance=trim('A.distance',"'") 
| eval A.distance='A.distance'/100 
| where A.distance=1

Event Coverage if this value is 100% and all the values get for typeof() the result "Number". All of the values do not have a digit after the comma. We are using Splunk Enterprise 8.2.3.3 . Does someone know, why the where statement is yielding an error in this case?

Thanks

ITWhisperer · ‎07-20-2022

Try not to have special characters in field names - if you want to continue with them, put the field name in single quotes

| where 'A.distance'=1

View solution in original post

ITWhisperer · ‎07-20-2022

Try not to have special characters in field names - if you want to continue with them, put the field name in single quotes

| where 'A.distance'=1

Why am I yielding an error with Where Statement for exact numeric value?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Why am I yielding an error with Where Statement for exact numeric value?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem