Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

use * in floor

Splunkie1
Loves-to-Learn Lots
‎10-30-2023 05:49 AM

I have a field called position that contains integers and a token called position_select that is either a floating point number or a * (=all positions).

Now i want to search all positions that match position_select.

So i tried something like that:

index = index1

| eval position_search = floor($position_select$)

| where position = position_search

The problem is that you of course can't use * in floor.

Another problem is that | where position = * is impossible too.

However i cant use | search because | search position = position_search  does not work.

 

So the question is, is there any way to use something like floor()  on position_select?

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2023 06:19 AM

Set up your selection so that the value of the selection includes the where command, except in the case of *

    <input type="dropdown" token="position_select" searchWhenChanged="true">
      <label>Floored $position_select$</label>
      <choice value="">*</choice>
      <choice value="| where position=1">1.2</choice>
      <choice value="| where position=2">2.4</choice>
    </input>

Then just use the token in your search

index = index1
$position_select$
0 Karma
Reply

Splunkie1
Loves-to-Learn Lots
‎10-30-2023 07:03 AM

Thank you but, I get position_select dynamically from a search with up to 1000 results.

working through each position individually would be impractical.

Is there another way?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2023 07:35 AM

Have your dynamic search return two fields, one with the float in as the label field, and the other with a string of the where command.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...