time frame calculation

sarit_s — Sun, 26 Apr 2020 07:22:29 GMT

Hello
i want to write IF statement as part of my query and want it to run on time frame of 30 days or more...
the query itself runs on time frame of "all time" but the result i want is from 30 days or more

how can i do it ?

thanks

Re: time frame calculation

richgalloway — Sun, 26 Apr 2020 14:49:55 GMT

Please describe the problem you are trying to solve. What queries have you tried?

Re: time frame calculation

DalJeanis — Tue, 28 Apr 2020 17:50:45 GMT

let's suppose you want a count and average Value of all the records that match some criteria in the 30 days prior to the end of a report. You can do something like this:

your search that gets all your data 
| addinfo
| eval last30daysFlag=case(if _time>info_max_time - 30*1440, "Y") 
| eval my30dayCount=case(last30daysFlag="Y", 1) 
| eval my30dayValue=case(last30daysFlag="Y", Value) 
| eventstats sum(my30dayCount) as my30dayCount avg(my30dayValue) as my30dayValue

That can also be written more succinctly as

your search that gets all your data 
| addinfo
| stats sum(eval(case(_time>info_max_time - 30*1440,1))) as my30dayCount,
            avg(eval(case(_time>info_max_time - 30*1440,Value))) as my30dayValue

In both cases, by using eventstats, the answers for the whole search will be added to every record.

If the entire search is using a stats command, you could also build it into that instead of using eventstats.

topic Re: time frame calculation in Splunk Search

time frame calculation

Re: time frame calculation

Re: time frame calculation