topic Re: How to search for values greater than 90 days in Splunk Search

How to search for values greater than 90 days?

willsy — Wed, 19 Apr 2023 21:21:15 GMT

index=test sourcetype=csv source=prtg.csv host=prtg device=all "Down for"=*
| rename "Down for" AS Downtime
| eval "Downtime"=replace('Downtime',"d","")
| dedup _raw
| table Device, Downtime

Is there a way to only show any devices with a downtime greater than 90 in that table?

Re: How to search for values greater than 90 days

gcusello — Wed, 19 Apr 2023 08:39:55 GMT

Hi @willsy,

which is the time format of Downtime?

define the threshold in the same time unit and then use the where command to make a filter,

so e.g. Downtime is expressed in days, you can use

| where Downtime>90

if it's expressed in seconds, you can use:

| where Downtime>7776000

Ciao.

Giuseppe

Re: How to search for values greater than 90 days

willsy — Wed, 19 Apr 2023 09:22:58 GMT

Hey @gcusello

So thats what i originally had in my search however it only resulted in a single device with value of 96.

where as there are 9 devices with a higher than 90 value.

Re: How to search for values greater than 90 days

willsy — Wed, 19 Apr 2023 09:25:44 GMT

Also just to add,

When i add
| where Downtime>90

i get the error

Error in "where" command: Type checking failed. the '>' operator received different types

Re: How to search for values greater than 90 days

gcusello — Wed, 19 Apr 2023 09:53:54 GMT

Hi @willsy,

see what you have in the Downtime field, maybe there are different formats values: e.g. sometime 10, and sometimes 10d.

identify the different choices and extract the numers using a regex.

If you share some samples containing all the choices, I could help you.

Ciao.

Giuseppe

Re: How to search for values greater than 90 days

willsy — Wed, 19 Apr 2023 09:59:04 GMT

@gcusellothank you for getting back to me so fast,

i have various formats of,

54 d
125 d
12 h 2 m
4 d 4 d 29 m

I do have a raw value for the time though that i can use, that is under epoch times.

"Down for_RAW"
0000000016415216
0000000000141890
0000000000067157

Re: How to search for values greater than 90 days

gcusello — Wed, 19 Apr 2023 10:10:35 GMT

Hi @willsy,

let me understand do you have values like "54 d" or value in epochtime, or both?

if of the first type, you can use a regex like the following to extract days:

| rex "(?<downtime_days>\d*)\s+d"

if of the second type, you can use eval and divide for the number of seconds in a day:

| eval downtime_days=your_field/86400

Ciao.

Giuseppe

Re: How to search for values greater than 90 days

willsy — Wed, 19 Apr 2023 10:18:23 GMT

Absolute scholar and a gent.

thank you so very much.

i used the
| eval downtime_days=Downtime/86400

seems super simle now i can see it but i couldnt get my head round it, thanks you so very much.