I have a field in my query called `Attempt` that is either a non-negative integer or a special value "null". I use the special "null" string value because I am creating a summary query and don't want to lose events for which fields aren't present. I therefore use the `fillnull` operator that you can see in the query below:
index="fraud" sourcetype=strategy-engine ActivityStep=rs
| rex field=_raw "\"rescoreAttemptNumber\":\"(?\d*)\"},"
| rex field=_raw "\"riskRecommendationQuality\":{\"status\":\"(?\w*)\","
| fillnull value=null ActivityName Attempt IrisRoutingKey OperationName ProductName Strength
| stats count by ActivityName,Attempt,IrisRoutingKey,OperationName,ProductName,Strength
| search (OperationName=compute OR OperationName=executeRuleSet) AND Attempt>= 10 AND Strength="DEGRADED"
My problem is really the `Attempt>=10` term because I see both "null" and "10" values in my results table. My table returned is the table below:
![alt text][1]
Ideally, I would like to filter such results where `Attempt=null` without using the term `Attempt>=10 AND Attempt!=null` because the first part of the query (up to and including the `stats` operator) is actually a new general-purpose summary query. I suspect that people using this summary query will often forget to use the `Attempt!="null"` and just end up with extraneous results if I require them to use this term.
Is there any way to get Splunk to filter out non-numerical values from a `LHS>=RHS` style-comparison? Your help would be greatly appreciated.
[1]: /storage/temp/275022-my-query.png
↧