Solved: Re: Passing comparison operators in a variable

ohbuckeyeio · ‎04-06-2020

Is there a way to dynamically pass a comparison operator as a variable without a macro? I am looking to achieve something similar to what is shown below.

| eval number=8
| eval operator=">="
| eval comparison=7
| eval validate=if(number.operator.comparison,"yep","nope")

martin_mueller · ‎04-06-2020

Considering there only are six common comparison operators = != < <= > >= I'd recommend creating a macro that houses a big case statement.

View solution in original post

martin_mueller · ‎04-06-2020

Considering there only are six common comparison operators = != < <= > >= I'd recommend creating a macro that houses a big case statement.

ohbuckeyeio · ‎04-07-2020

Thank you Martin. I was assuming this would be the answer but was hoping for something more concise. I appreciate the help.

martin_mueller · ‎04-06-2020

There are only ugly options, e.g. iterating through all operators with case(), or map. What are you trying to achieve?

ohbuckeyeio · ‎04-06-2020

Hi Martin. I have a kvstore with rows that have a numerical field and an operator field (among others). I would like to loop through those rows and build a dynamic comparison based off of some search results.

In the example above, the field "number" is from an indexed search. The operator and comparison fields are in the kvstore. I would like to be able to dynamically compare the number/comparison fields based on the provided operator value.

The operators could be any standard operator (=,!=,>=, etc...)

Passing comparison operators in a variable

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability