Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing two fields with > operator

srw46
Path Finder
‎07-06-2010 08:59 AM

Hello,

I am trying to compare two fields with a simple operator but it does not seem to perform as expected. I am simply trying to return any transaction times that are over the value of the 'threshold' field. This is what I'm trying:

time_taken>threshold

I have found another way around this by using the eval command:

eval over=time_taken-threshold | search over>0

This essentially does the same thing in a very round about way but it less than neat.

Is there something i'm missing to compare field to another field? I have scoured documention but can't find any examples of this.

Thanks in advance

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-06-2010 01:43 PM

I think you want to use where and not search. The where search operation lets you compare variables or even eval expressions, but search only looks for literal values. Here's an example.

  1. This search is looking for a field named "user" that contains the value of "login":

    | search user=login

  2. This search is looking for a field named "user" that contains the same value as the field named "login":

    | where user=login

So you should be able to take your example search expression:

| eval over=time_taken-threshold | search over>0

And change it to either:

| where (time_taken-threshold)>0

Or

| where time_taken>threshold

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-06-2010 01:43 PM

I think you want to use where and not search. The where search operation lets you compare variables or even eval expressions, but search only looks for literal values. Here's an example.

  1. This search is looking for a field named "user" that contains the value of "login":

    | search user=login

  2. This search is looking for a field named "user" that contains the same value as the field named "login":

    | where user=login

So you should be able to take your example search expression:

| eval over=time_taken-threshold | search over>0

And change it to either:

| where (time_taken-threshold)>0

Or

| where time_taken>threshold
Reply
Solved! Jump to solution

srw46
Path Finder
‎07-07-2010 07:01 AM

Splendid.

Thank you again Lowell.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...