topic Re: Search command. - in Splunk Search

Search command. -

jaibalaraman — Tue, 09 Apr 2024 22:56:29 GMT

I am not sure about this value risk score.

How do i create dashboard tile for this fields

Re: Search command. -

ITWhisperer — Tue, 09 Apr 2024 23:01:48 GMT

max(), avg() and stdev() are all aggregation functions which you can include on a stats command in your search

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Aggregatefunctions

Re: Search command. -

jaibalaraman — Tue, 09 Apr 2024 23:09:26 GMT

Hi Thanks for the responce

yes, i have gone through aggregate function, could you please help how to implement in the code

Exp 1 - chart eval(avg(size)/max(delay)) AS ratio BY host user

OR timechart eval(round(avg(cpu_seconds),2)) BY processor

Re: Search command. -

yuanliu — Wed, 10 Apr 2024 00:27:19 GMT

That'll depends on what you want to show for your risk score. Do you want to show max? Do you want to show avg? Is there a groupby field you want to use?

Note the excerpted examples from the document are very specific to the problem the examples are trying to illustrate. It is not a substitute for you to describe your desired output. If you don't tell people, volunteers would have no way to read your mind.

In the simplest form, you can experiment with something like

| chart avg('event.Properties.riskScore') max('event.Properties.riskScore') min('event.Properties.riskScore') stdev('event.Properties.riskScore')

But you already did this. So, what is your desired output? Alternatively, what is the use case you are trying to apply? What is the business problem you are trying to solve/illustrate using this dashboard?

Re: Search command. -

jaibalaraman — Wed, 10 Apr 2024 00:38:19 GMT

Yes i trying to find out max duration and the endpoint which is associated with

event.Properties.endpoint

event.Properties.duration.

Re: Search command. -

yuanliu — Wed, 10 Apr 2024 00:50:12 GMT

| chart max('event.Properties.duration') by event.Properties.endpoint

Something like this?

Re: Search command. -

jaibalaraman — Wed, 10 Apr 2024 01:04:40 GMT

I tried the search, but not getting the max number

Re: Search command. -

jaibalaraman — Wed, 10 Apr 2024 01:09:58 GMT

Hi
How do i change the max column, in readable format like 40 mins , 30 mins or 1 hrs

Re: Search command. -

yuanliu — Wed, 10 Apr 2024 05:58:43 GMT

Instead of dealing with the messiness of a natural language, it might be better to use standard notation of duration, like

| fieldformat max(event.Properties.duration) = tostring('max(event.Properties.duration)', "duration")

Instead of 40 mins , 30 mins or 1 hrs, you get 00:40:00, 00:30:00, 01:00:00, and so on.