Re: use * in floor

Splunkie1 · ‎10-30-2023

I have a field called position that contains integers and a token called position_select that is either a floating point number or a * (=all positions).

Now i want to search all positions that match position_select.

So i tried something like that:

index = index1

| eval position_search = floor($position_select$)

| where position = position_search

The problem is that you of course can't use * in floor.

Another problem is that | where position = * is impossible too.

However i cant use | search because | search position = position_search does not work.

So the question is, is there any way to use something like floor() on position_select?

ITWhisperer · ‎10-30-2023

Set up your selection so that the value of the selection includes the where command, except in the case of *

    <input type="dropdown" token="position_select" searchWhenChanged="true">
      <label>Floored $position_select$</label>
      <choice value="">*</choice>
      <choice value="| where position=1">1.2</choice>
      <choice value="| where position=2">2.4</choice>
    </input>

Then just use the token in your search

index = index1
$position_select$

Splunkie1 · ‎10-30-2023

Thank you but, I get position_select dynamically from a search with up to 1000 results.

working through each position individually would be impractical.

Is there another way?

ITWhisperer · ‎10-30-2023

Have your dynamic search return two fields, one with the float in as the label field, and the other with a string of the where command.

use * in floor

eval

fields

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?