- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- How can I return all elements greater than or less...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm new to Splunk so this is really basic.
I can use this search
host=PChistory_1 participant_count=5
and I will get all elements where participant_count is exactly 5.
But, greater than or less than does not work.
host=PChistory_1 participant_count<5
will give me no results.
Not sure what I'm doing wrong.
This is example of one log element:
{
"name": "Company xx",
"participant_count": 2,
"start_time": "2018-03-16T14:26:08",
"service_type": "conference",
"participants": [
"/api/admin/history/v1/participant/149a6a3c-fb22-436a-b267-f649c131f1d6/",
"/api/admin/history/v1/participant/35e86e0e-f470-4259-8a5f-4f4b47c97d41/"
],
"tag": "",
"end_time": "2018-03-16T14:30:15.104681",
"instant_message_count": 0,
"unique_participant_count": 2,
"duration": 247,
"id": "c12509d6-ab15-49e2-9e38-38c551096cc8",
"resource_uri": "/api/admin/history/v1/conference/c12509d6-ab15-49e2-9e38-38c551096cc8/"
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you indexing this with sourcetype JSON?
I picked up your exact example, indexed with JSON and tried both:
host=PChistory_1 participant_count=2
and
host=PChistory_1 participant_count>1
And got the expected behaviour on both.
Please check that sourcetype and let me know
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you indexing this with sourcetype JSON?
I picked up your exact example, indexed with JSON and tried both:
host=PChistory_1 participant_count=2
and
host=PChistory_1 participant_count>1
And got the expected behaviour on both.
Please check that sourcetype and let me know
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was the problem indeed. I thought I had chosen JSON the first time and chosen my timestamps. Did it again now and it works beautifully 🙂 Not sure what I did wrong the first time, but probably some basic mistake.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The answer below from @tiagofbmm should work, but it's not as efficient as filtering in the base search. I'm surprised that the query you posted isn't working, because such structure works in my environment. Does it return no results at all, or just fail to return some results you know it should be returning?
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
