Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search function not working properly when comparing lookup value

johnboldt
Explorer
‎09-30-2011 07:45 AM

I'm using the following search using Splunk 4.2.1:

sourcetype=somesourcetype (tag=Metric AND tag=ResponseTime) NOT tag=Page earliest=-20d | eval upperHost=upper(host) | lookup metrics_lookup Metric as eventtype output ExpectedSLA | lookup cluster_lookup host as upperHost output cluster | search elapsedTime > ExpectedSLA | table cluster, host, eventtype, ExpectedSLA, elapsedTime | sort elapsedTime desc

Both elapsedTime and ExpectedSLA are numeric, yet the search function is not working properly as it does not return any data.

search(elapsedTime < ExpectedSLA) returns all rows, even the ones where elapsedTime is greater than ExpectedSLA.

search(elapsedTime < 200) works as expected, and seach(ExpectedSLA > 200) works as expected; they just don't work together!

Any ideas?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2011 06:55 PM

Well you should try the 'where' command instead of 'search'. 'where' sees unquoted strings as field names on the right-hand-side of expressions, whereas 'search' sees them as literals.

For example: 

| search foo=bar

will check the foo field against the literal "bar", whereas 

| where foo=bar

will check whether the foo field equals the bar field. Something similar could well be happening with the > operator. (In effect it would be checking whether the elapsedTime field alphabetized after the string constant "ExpectedSLA".... )

The other idea is that eventtype is a multivalued field technically (even if there's only one value), so if you have more than one eventtype this might mean that ExpectedSLA comes out as a multivalued field, and the comparator gets confused.

maybe try a " | nomv eventtype", or a "| mvexpand eventtype" before the lookup?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2011 06:55 PM

Well you should try the 'where' command instead of 'search'. 'where' sees unquoted strings as field names on the right-hand-side of expressions, whereas 'search' sees them as literals.

For example: 

| search foo=bar

will check the foo field against the literal "bar", whereas 

| where foo=bar

will check whether the foo field equals the bar field. Something similar could well be happening with the > operator. (In effect it would be checking whether the elapsedTime field alphabetized after the string constant "ExpectedSLA".... )

The other idea is that eventtype is a multivalued field technically (even if there's only one value), so if you have more than one eventtype this might mean that ExpectedSLA comes out as a multivalued field, and the comparator gets confused.

maybe try a " | nomv eventtype", or a "| mvexpand eventtype" before the lookup?

0 Karma
Reply
Solved! Jump to solution

johnboldt
Explorer
‎10-02-2011 08:53 PM

Thanks Nick - using the where command did the trick!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...