I cannot seem to get my search to return results when comparing a property with a greater than comparison even though using an equals comparison does work. The 'elements' property in my message is a 0 - x property of the event...meaning it could exist zero times or it could exist multiple times...each element in the event has a 'y' value.
What i'm trying to accomplish is to count each time an event occurs where any of the elements in the event have a y value greater than a value.
example:
This search returns 2 :
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y="1664" | stats count
This search returns 0 when it should be the same if not more than the above search:
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y>"1663" | stats count
↧