Solved: Re: Why doesn't a > WHERE clause work when an = do...

47024 · ‎11-15-2019

I cannot seem to get my search to return results when comparing a property with a greater than comparison even though using an equals comparison does work. The 'elements' property in my message is a 0 - x property of the event...meaning it could exist zero times or it could exist multiple times...each element in the event has a 'y' value.

What i'm trying to accomplish is to count each time an event occurs where any of the elements in the event have a y value greater than a value.

example:

This search returns 2 :
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y="1664" | stats count

This search returns 0 when it should be the same if not more than the above search:
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y>"1663" | stats count

bowesmana · ‎11-15-2019

If y is multivalue, then things get complicated. If you do a

| table y

do you get a single value field for y in all cases, or multivalue?

If you want to filter where any mv value > 1663, then you need to use mvfilter, e.g.

| makeresults 
| eval y=mvappend("100","200","300","400","2000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

in this case, it will satisfy the condition, but this will not

| makeresults 
| eval y=mvappend("100","200","300","400","1000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

View solution in original post

bowesmana · ‎11-15-2019

If y is multivalue, then things get complicated. If you do a

| table y

do you get a single value field for y in all cases, or multivalue?

If you want to filter where any mv value > 1663, then you need to use mvfilter, e.g.

| makeresults 
| eval y=mvappend("100","200","300","400","2000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

in this case, it will satisfy the condition, but this will not

| makeresults 
| eval y=mvappend("100","200","300","400","1000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

47024 · ‎11-18-2019

This worked! Thank you very much!

to4kawa · ‎11-15-2019

index="lab" source="*-test" 
| eval y='line.message.space-document.design.elements{}.y'

It seems that there are multiple y values.

index="lab" source="*-test" 
| eval y='line.message.space-document.design.elements{}.y' 
| eval y=mvindex(y,0)
| stats count(eval(y > 1663)) as count

richgalloway · ‎11-15-2019

Splunk doesn't support greater-than / less-than with strings. If y is a number then use ... | where y>1663 | .... If y is a string use tonumber() to convert it.

---
If this reply helps you, Karma would be appreciated.

47024 · ‎11-15-2019

Thank you for the suggestion...however when taking the string aspect away, it actually returns 0 results with both equals and greater comparisons. I changed to below and still get 0 results when I should get at least 2.

index="lab" source="*-test" | eval y=tonumber('line.message.space-document.design.elements{}.y') | where y>1663 | stats count

richgalloway · ‎11-15-2019

Can you share some sample data? Have you tried the second part of my answer (tonumber())?

---
If this reply helps you, Karma would be appreciated.

Why doesn't a > WHERE clause work when an = does?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life