 
					
				
		
I cannot seem to get my search to return results when comparing a property with a greater than comparison even though using an equals comparison does work. The 'elements' property in my message is a 0 - x property of the event...meaning it could exist zero times or it could exist multiple times...each element in the event has a 'y' value.
What i'm trying to accomplish is to count each time an event occurs where any of the elements in the event have a y value greater than a value.
example:
This search returns 2 :
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y="1664" | stats count
This search  returns 0 when it should be the same if not more than the above search:
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y>"1663" | stats count
 
		
		
		
		
		
	
			
		
		
			
					
		If y is multivalue, then things get complicated. If you do a
| table y
do you get a single value field for y in all cases, or multivalue?
If you want to filter where any mv value > 1663, then you need to use mvfilter, e.g.
| makeresults 
| eval y=mvappend("100","200","300","400","2000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0
in this case, it will satisfy the condition, but this will not
| makeresults 
| eval y=mvappend("100","200","300","400","1000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0
 
		
		
		
		
		
	
			
		
		
			
					
		If y is multivalue, then things get complicated. If you do a
| table y
do you get a single value field for y in all cases, or multivalue?
If you want to filter where any mv value > 1663, then you need to use mvfilter, e.g.
| makeresults 
| eval y=mvappend("100","200","300","400","2000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0
in this case, it will satisfy the condition, but this will not
| makeresults 
| eval y=mvappend("100","200","300","400","1000","500")
| eval x=mvfilter(y>1663)
| where mvcount(x)>0
 
					
				
		
This worked! Thank you very much!
index="lab" source="*-test" 
| eval y='line.message.space-document.design.elements{}.y' 
It seems that there are multiple y values.
index="lab" source="*-test" 
| eval y='line.message.space-document.design.elements{}.y' 
| eval y=mvindex(y,0)
| stats count(eval(y > 1663)) as count
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Splunk doesn't support greater-than / less-than with strings.  If y is a number then use ... | where y>1663 | ....  If y is a string use tonumber() to convert it.
 
					
				
		
Thank you for the suggestion...however when taking the string aspect away, it actually returns 0 results with both equals and greater comparisons. I changed to below and still get 0 results when I should get at least 2.
index="lab" source="*-test" | eval y=tonumber('line.message.space-document.design.elements{}.y') | where y>1663 | stats count
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Can you share some sample data? Have you tried the second part of my answer (tonumber())?
