if the fileds has values like filed=0, field=1 etc.. how can i filter this filed which has values greater than 1

Hi @Rajpranar,

This is a lovely thread, but it's 14 years old. Asking a new, unanswered question will help you get an answer more quickly.

You can use the greater than operator in field expressions:

field>1

See https://docs.splunk.com/Documentation/Splunk/latest/Search/Fieldexpressions.

If you need to compare the value of two fields, use the where command:

| where field2>field1

Thanks @tscroggins i did post a new question..

How to filter a field from the log where the values change for example please see below,

logfile =(result1=0 result2=5 result3=10 result4=14)  at 5AM

logfile =(result1=8 result2=5 result3=10 result4=14) at 5:10Am

logfile =(result1=4 result2=5 result3=10 result4=14) at 5:20Am

logfile =(result1=3 result2=5 result3=10 result4=14) at 5:30Am

i want query to return result and show when result1 is greater than 5, please help

Current state im at =index=indexname | search sourcetype=eventname "result1=5" gives results but if i do
index=indexname | search sourcetype=eventname "result1> 4" returns nothing

_* refers to the reserved (a.k.a. "internal") fields such as _time.

So it seems to read "I want foo, and I don't want any internal fields".

The explanation at http://www.splunk.com/base/Documentation/latest/SearchReference/Fields might make more sense to you.

what does the _* in the 4.x string mean? Why the underscore?