Solved: Where and eval weirdness?

Lowell · ‎02-19-2011

I have a multi-value field called TotalRows (which is in contains a list of values in time order) and I'm trying to determine when the last value is less than the first value as a simple means to detect decreasing trend in the field....

This approach works:

... | eval first_rows=mvindex(TotalRows,0) 
    | eval last_rows=mvindex(TotalRows,-1)
    | where first_rows>last_rows

But when I simply this expression and remove the extra (unwanted) fields, it doesn't work:

... | where mvindex(TotalRows,0) > mvindex(TotalRows,-1)

Any ideas?

Lowell · ‎02-19-2011

Hmm, think I figured it out.

It looks like mvindex must always consider it's return value to be a string. Therefore, forcing it to a number allows the single expression to work:

... | where tonumber(mvindex(TotalRows,0)) > tonumber(mvindex(TotalRows,-1))

View solution in original post

Lowell · ‎02-19-2011

Hmm, think I figured it out.

It looks like mvindex must always consider it's return value to be a string. Therefore, forcing it to a number allows the single expression to work:

... | where tonumber(mvindex(TotalRows,0)) > tonumber(mvindex(TotalRows,-1))

ryhluc01 · ‎03-01-2019

Hey @Lowell can you select your answer?

Where and eval weirdness?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor