Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Numeric Comparison on Eventtype?

Jason
Motivator
‎10-11-2011 06:57 PM

I'm dealing with a stream of monitoring data with good and bad events, but no text to distinguish them apart. Good vs. bad is defined as follows, by comparing the same two fields found in every event:

Good event: previous_status < current_status
Bad event: current_status < previous_status

I need to be able to eventtype and tag these events, but comparing two fields in the search command does not seem possible - I only got expected results by using a | where and that is not supported in an eventtype.

How do I eventtype this data properly?

And why can we only compare a field to a static numeric value in search, rather than another numeric field??

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-11-2011 09:55 PM

No, you can't do this in a base search (or equivalently, in the search command), and therefore you can't specify this as an eventtype. I think this is a fairly straightforward and reasonable enhancement request.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎10-11-2011 10:00 PM

'search' assumes that the right side of the comparison is a string literal (i.e how x=y is processed on the right-most part of the search). 'where' treats both sides as variables rather than literals, similar to sql's 'where'.

Event types are designed to classify specific types of events, not comparisons of two or more events. You should probably look at alerting.

Reply
Solved! Jump to solution

Jason
Motivator
‎10-11-2011 11:18 PM

I updated the question above with better clarity. Both fields are in the same event. I just need to compare the two fields to one another, and it seems a bit unreasonable that you have to use a separate command for this.

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-11-2011 09:55 PM

No, you can't do this in a base search (or equivalently, in the search command), and therefore you can't specify this as an eventtype. I think this is a fairly straightforward and reasonable enhancement request.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-11-2011 10:39 PM

What he isn't making clear (which he did offline) is that the two fields he is comparing are two field in the same event. If they were in different events, I would agree with you, but for numeric comparisons of fields in the same events (not string comparisons, and not in different events) this is not really any different from what Splunk already does. Furthermore, for eventtyping, it would be okay even if the fields are non-numeric.

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎10-11-2011 10:01 PM

I disagree - this is far outside the design of eventtyping and tagging.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...