topic Display result when comparing 3 fields, only show greater by 100 for one field in Splunk Search

Display result when comparing 3 fields, only show greater by 100 for one field

baustin612 — Wed, 29 Jul 2020 21:21:06 GMT

I have a search that is giving me this data set:

ID status Stamp
alex esb 1595989827764
alex fuz 1595989827762
jake esb 1596056447122
jake fuz 1596056447085
josh esb 1596054751935
josh fuz 1596054751852
stefan esb 1596056406846
stefan fuz 1596056406806

I want to compare the Stamp by ID, and show any ID's where the stamp for esb is great than the stampe for fuz by at least 100. Any help appreciated.

Re: Display result when comparing 3 fields, only show greater by 100 for one field

to4kawa — Wed, 29 Jul 2020 21:38:31 GMT

|stats range(Stamp) as duration by ID

|where duration > 100

Re: Display result when comparing 3 fields, only show greater by 100 for one field

baustin612 — Wed, 29 Jul 2020 21:53:04 GMT

Thank you for the quick reply!

How does this take into account status? I only want to display those where 'esb' timestamp is >= 'fuz' timestamp +100.

Re: Display result when comparing 3 fields, only show greater by 100 for one field

isoutamo — Wed, 29 Jul 2020 22:44:55 GMT

Your Stamps haven't any greater than 100 so I use greater than 50.

index=_internal | head 1 | eval _raw="ID, status, Stamp alex,esb,1595989827764 alex,fuz,1595989827762 jake,esb,1596056447122 jake,fuz,1596056447085 josh,fuz,1596054751852 josh,esb,1596054751935 stefan,esb,1596056406846 stefan,fuz,1596056406806" | multikv forceheader=1 | eval stamp=tonumber(trim(stamp)) | rename COMMENT as "previous prepare sample data" | eval esb_stamp = if(status == "esb", Stamp, null()) | eventstats range(Stamp) as duration values(esb_stamp) as esb_stamp by ID | table duration ID status Stamp esb_stamp | where esb_stamp >= 50 + Stamp

r. Ismo

Re: Display result when comparing 3 fields, only show greater by 100 for one field

baustin612 — Thu, 06 Aug 2020 20:17:13 GMT

Thank you very much!