Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search function not working properly when comparing lookup value

johnboldt
Explorer
‎09-30-2011 07:45 AM

I'm using the following search using Splunk 4.2.1:

sourcetype=somesourcetype (tag=Metric AND tag=ResponseTime) NOT tag=Page earliest=-20d | eval upperHost=upper(host) | lookup metrics_lookup Metric as eventtype output ExpectedSLA | lookup cluster_lookup host as upperHost output cluster | search elapsedTime > ExpectedSLA | table cluster, host, eventtype, ExpectedSLA, elapsedTime | sort elapsedTime desc

Both elapsedTime and ExpectedSLA are numeric, yet the search function is not working properly as it does not return any data.

search(elapsedTime < ExpectedSLA) returns all rows, even the ones where elapsedTime is greater than ExpectedSLA.

search(elapsedTime < 200) works as expected, and seach(ExpectedSLA > 200) works as expected; they just don't work together!

Any ideas?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2011 06:55 PM

Well you should try the 'where' command instead of 'search'. 'where' sees unquoted strings as field names on the right-hand-side of expressions, whereas 'search' sees them as literals.

For example: 

| search foo=bar

will check the foo field against the literal "bar", whereas 

| where foo=bar

will check whether the foo field equals the bar field. Something similar could well be happening with the > operator. (In effect it would be checking whether the elapsedTime field alphabetized after the string constant "ExpectedSLA".... )

The other idea is that eventtype is a multivalued field technically (even if there's only one value), so if you have more than one eventtype this might mean that ExpectedSLA comes out as a multivalued field, and the comparator gets confused.

maybe try a " | nomv eventtype", or a "| mvexpand eventtype" before the lookup?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2011 06:55 PM

Well you should try the 'where' command instead of 'search'. 'where' sees unquoted strings as field names on the right-hand-side of expressions, whereas 'search' sees them as literals.

For example: 

| search foo=bar

will check the foo field against the literal "bar", whereas 

| where foo=bar

will check whether the foo field equals the bar field. Something similar could well be happening with the > operator. (In effect it would be checking whether the elapsedTime field alphabetized after the string constant "ExpectedSLA".... )

The other idea is that eventtype is a multivalued field technically (even if there's only one value), so if you have more than one eventtype this might mean that ExpectedSLA comes out as a multivalued field, and the comparator gets confused.

maybe try a " | nomv eventtype", or a "| mvexpand eventtype" before the lookup?

0 Karma
Reply
Solved! Jump to solution

johnboldt
Explorer
‎10-02-2011 08:53 PM

Thanks Nick - using the where command did the trick!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...