Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to String Compare?

chengyu
Path Finder
‎05-06-2015 12:16 AM

Hi Sir:
My Raw data CurrentPrice,VendorPrice1...is string not number, so i use convert change fields attribute. I hope VendorPrice1 < CurrentPrice or VendorPrice2 < CurrentPrice or VendorPrice3 < CurrentPrice appear data and highlights red color. If use ... |search VendorPrice1 < 0.3345 | ... is fine, if use |search VendorPrice1 < CurrentPrice| data is error, It can not seem to use than the size of the string, should can i do? Thank you.

My RAW data:
CurrentPrice VendorPrice1 VendorPrice2 VendorPrice3
.3345 .3303 .3302 .3305

sourcetype=xxx Status=Approved PartNo=$PartNo$ VendorCode=$VendorCode$ | Convert num(CurrentPrice) as CurrentPrice,num(VendorPrice1) as VendorPrice1,num(VendorPrice2) as VendorPrice2,,num(VendorPrice3) as VendorPrice3 | search ((VendorPrice1 < CurrentPrice) OR (VendorPrice2 < CurrentPrice) OR (VendorPrice3 < CurrentPrice) ) |stats values(CurrentPrice) values(VendorPrice1) values(VendorPrice2) values(VendorPrice3) by RfqNo,PartNo,VendorCode

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎05-06-2015 03:42 AM

In your case since you are comparing values in a field what you want to use is where not search as in

... | where VendorPrice1 &lt; CurrentPrice | ...

The search command like you've used it WILL work if you put in values as you've seen

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chengyu
Path Finder
‎05-06-2015 04:44 AM

Hi Runals:

         I have try where command | where VendorPrice1 &lt; CurrentPrice |, result still  the same.
0 Karma
Reply
Solved! Jump to solution

chengyu
Path Finder
‎05-07-2015 07:28 PM

I misplaced where command. Sorry, already resolve.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-06-2015 03:46 AM

Hello! When you use Values (X), The order of the values is lexicographical. Try the list function as follows and let me know what happen:

sourcetype=xxx Status=Approved PartNo=$PartNo$ VendorCode=$VendorCode$ | Convert num(CurrentPrice) as CurrentPrice,num(VendorPrice1) as VendorPrice1,num(VendorPrice2) as VendorPrice2,,num(VendorPrice3) as VendorPrice3 | search ((VendorPrice1 &lt; CurrentPrice) OR (VendorPrice2 &lt; CurrentPrice) OR (VendorPrice3 &lt; CurrentPrice) ) |stats list(CurrentPrice) list(VendorPrice1) list(VendorPrice2) list(VendorPrice3) by RfqNo,PartNo,VendorCode
SGF
0 Karma
Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎05-06-2015 03:42 AM

In your case since you are comparing values in a field what you want to use is where not search as in

... | where VendorPrice1 &lt; CurrentPrice | ...

The search command like you've used it WILL work if you put in values as you've seen

0 Karma
Reply
Solved! Jump to solution

vganjare
Builder
‎05-06-2015 12:59 AM

Is there any value of the CurrentPrice which is lesser than any of the VendorPrices? In current example, the current price value .3345 is largest among all the prices.

Thanks!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...