Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search function not working properly when comparing lookup value

johnboldt
Explorer
‎09-30-2011 07:45 AM

I'm using the following search using Splunk 4.2.1:

sourcetype=somesourcetype (tag=Metric AND tag=ResponseTime) NOT tag=Page earliest=-20d | eval upperHost=upper(host) | lookup metrics_lookup Metric as eventtype output ExpectedSLA | lookup cluster_lookup host as upperHost output cluster | search elapsedTime > ExpectedSLA | table cluster, host, eventtype, ExpectedSLA, elapsedTime | sort elapsedTime desc

Both elapsedTime and ExpectedSLA are numeric, yet the search function is not working properly as it does not return any data.

search(elapsedTime < ExpectedSLA) returns all rows, even the ones where elapsedTime is greater than ExpectedSLA.

search(elapsedTime < 200) works as expected, and seach(ExpectedSLA > 200) works as expected; they just don't work together!

Any ideas?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2011 06:55 PM

Well you should try the 'where' command instead of 'search'. 'where' sees unquoted strings as field names on the right-hand-side of expressions, whereas 'search' sees them as literals.

For example: 

| search foo=bar

will check the foo field against the literal "bar", whereas 

| where foo=bar

will check whether the foo field equals the bar field. Something similar could well be happening with the > operator. (In effect it would be checking whether the elapsedTime field alphabetized after the string constant "ExpectedSLA".... )

The other idea is that eventtype is a multivalued field technically (even if there's only one value), so if you have more than one eventtype this might mean that ExpectedSLA comes out as a multivalued field, and the comparator gets confused.

maybe try a " | nomv eventtype", or a "| mvexpand eventtype" before the lookup?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2011 06:55 PM

Well you should try the 'where' command instead of 'search'. 'where' sees unquoted strings as field names on the right-hand-side of expressions, whereas 'search' sees them as literals.

For example: 

| search foo=bar

will check the foo field against the literal "bar", whereas 

| where foo=bar

will check whether the foo field equals the bar field. Something similar could well be happening with the > operator. (In effect it would be checking whether the elapsedTime field alphabetized after the string constant "ExpectedSLA".... )

The other idea is that eventtype is a multivalued field technically (even if there's only one value), so if you have more than one eventtype this might mean that ExpectedSLA comes out as a multivalued field, and the comparator gets confused.

maybe try a " | nomv eventtype", or a "| mvexpand eventtype" before the lookup?

0 Karma
Reply
Solved! Jump to solution

johnboldt
Explorer
‎10-02-2011 08:53 PM

Thanks Nick - using the where command did the trick!

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...