Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Percentage in range - numeric search?

timbCFCA
Path Finder
‎05-28-2014 06:32 AM

I have a field extraction that comes back with the literal values of 'X%'. Note that the % is part of the value returned. I now need to do searches based on the range of the value of the loss field. 

index=* ping sprint-uplink ( loss>0% AND loss<100% )

Is there a good native way to do this or do I need to eval / regex out the numerical values?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2014 07:19 AM

I'm tempted to suggest something like (loss>'0%' AND lost<'100%'), but am not sure you can compare strings like that. I think you'll need to extract the numeric value. Have a look at convert().

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2014 07:19 AM

I'm tempted to suggest something like (loss>'0%' AND lost<'100%'), but am not sure you can compare strings like that. I think you'll need to extract the numeric value. Have a look at convert().

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎05-28-2014 07:29 AM

The convert function is a whole lot cleaner compared to my initial idea of using a regex. Thanks!

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎05-28-2014 07:02 AM

I'd suggest changing your field extraction to only extract the numeric value, rather than include the '%' and forcing it to act as a string.

This way you could simply run something similar to your search with: (loss>0 AND loss<100)

Otherwise you are going to need an eval to get a substring, or a rex on field loss ( rex field=loss "(?<loss_num>[^\%]*)\%" ), combined with a search command ( search (loss_num>0 AND loss_num<100) )

If you don't change the extraction, your search will look something like this:

index=* ping sprint-uplink | rex field=loss "(?<loss_num>[^\%]*)\%" | search loss_num>0 AND loss_num<100
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎05-28-2014 07:22 AM

I thought about it, but others of my searches depend on it having the percent sign included.. Modifying isn't feasible. The rex you provided is nearly identical to what I use, except I use '\d+'. I was mostly hoping for a native way to handle this kind of conversion.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...