Hello, I have a table that returns with these fields: AvgLow and AvgLowNOW, but they appear many times, like this
AvgLow AvgLowNOW
a b
a b
a b
a b
a b
I need to create an alert for when AvgLowNOW is greater then AvgLow. But in custome search condition with "search AvgLowNOW>AvgLow", I catch no events. What can I do to solve this?
Thank you
Try if() or case() eval functions
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Eval
Hi Tiago,
From your comments in the other answer, it looks as though you're nearly there. The where
function is definitely your friend.
<base search> | where AvgLow < AvgLowNOW
This will return all results where AvgLowNOW
is greater than AvgLow
(no need to dedup
)
Reference:
Try if() or case() eval functions
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Eval
Ok thank you!
Is that work? look the example I've just sent...
I tried this
search dedup AvgOut,AvgOutQNOW | where AvgOutQNOW>AvgOut
I'm Portuguese, but on my work place I don't have access to skype.