Solved: Re: Why doesn't a > WHERE clause work when an = do...

47024 · ‎11-15-2019

I cannot seem to get my search to return results when comparing a property with a greater than comparison even though using an equals comparison does work. The 'elements' property in my message is a 0 - x property of the event...meaning it could exist zero times or it could exist multiple times...each element in the event has a 'y' value.

What i'm trying to accomplish is to count each time an event occurs where any of the elements in the event have a y value greater than a value.

example:

This search returns 2 :
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y="1664" | stats count

This search returns 0 when it should be the same if not more than the above search:
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y>"1663" | stats count

bowesmana · ‎11-15-2019

If y is multivalue, then things get complicated. If you do a

| table y

do you get a single value field for y in all cases, or multivalue?

If you want to filter where any mv value > 1663, then you need to use mvfilter, e.g.

| makeresults 
| eval y=mvappend("100","200","300","400","2000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

in this case, it will satisfy the condition, but this will not

| makeresults 
| eval y=mvappend("100","200","300","400","1000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

View solution in original post

bowesmana · ‎11-15-2019

If y is multivalue, then things get complicated. If you do a

| table y

do you get a single value field for y in all cases, or multivalue?

If you want to filter where any mv value > 1663, then you need to use mvfilter, e.g.

| makeresults 
| eval y=mvappend("100","200","300","400","2000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

in this case, it will satisfy the condition, but this will not

| makeresults 
| eval y=mvappend("100","200","300","400","1000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0

47024 · ‎11-18-2019

This worked! Thank you very much!

to4kawa · ‎11-15-2019

index="lab" source="*-test" 
| eval y='line.message.space-document.design.elements{}.y'

It seems that there are multiple y values.

index="lab" source="*-test" 
| eval y='line.message.space-document.design.elements{}.y' 
| eval y=mvindex(y,0)
| stats count(eval(y > 1663)) as count

richgalloway · ‎11-15-2019

Splunk doesn't support greater-than / less-than with strings. If y is a number then use ... | where y>1663 | .... If y is a string use tonumber() to convert it.

---
If this reply helps you, Karma would be appreciated.

47024 · ‎11-15-2019

Thank you for the suggestion...however when taking the string aspect away, it actually returns 0 results with both equals and greater comparisons. I changed to below and still get 0 results when I should get at least 2.

index="lab" source="*-test" | eval y=tonumber('line.message.space-document.design.elements{}.y') | where y>1663 | stats count

richgalloway · ‎11-15-2019

Can you share some sample data? Have you tried the second part of my answer (tonumber())?

---
If this reply helps you, Karma would be appreciated.

Why doesn't a > WHERE clause work when an = does?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation