https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18276#M2631 <P>I'm sorry I don't understand this question ... <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Fri, 27 Jul 2012 11:18:45 GMT MHibbin 2012-07-27T11:18:45Z https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18271#M2626 <P>Hello, </P> <P>I have this following search:</P> <P>source="Laura_ACS"| eventstats count as "totalVE"| eventstats count(eval(STAT_VE="N")) as "totalVENO"|eval percent=(totalVENO/totalVE)*100 | stats values(totalVENO) AS COMPTEUR, values(percent) AS TAUX|search TAUX=100</P> <P>I want to calculate the "TAUX" for the last 15 min but I want to have a result with a span of 5 min and launch an alert if there are more than 2 results. That means that the TAUX equals 100 twice during the last 15 minutes. How can I apply this span of 5min in my search?</P> <P>Thanks by advance,</P> <P>Laura </P> Mon, 28 Sep 2020 12:09:16 GMT https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18271#M2626 LauraBre 2020-09-28T12:09:16Z https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18272#M2627 <P>Perhaps this would help you, for the span/bucket...</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/bucket">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/bucket</A></P> <P>And then put "<CODE>earliest=-15m latest=0</CODE>" in you orginal search command (i.e. <CODE>source="Laura_ACS"</CODE>)</P> <P>And then perhaps use <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats">streamstats</A>, instead of stats, to prevent it from formatting results in to a table and keep all raw fields/data,</P> <P>You can then use <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">transaction</A> to group events as required, and alert when you have 2 complete transactions</P> <P>Regards,</P> <P>MHibbin</P> Thu, 26 Jul 2012 16:11:07 GMT https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18272#M2627 MHibbin 2012-07-26T16:11:07Z https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18273#M2628 <P>I haven't tested this, as I don't have any data available at the moment that I can test this on... its more of some suggestions on points to look at, that have helped me in similar situations.</P> Thu, 26 Jul 2012 16:17:22 GMT https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18273#M2628 MHibbin 2012-07-26T16:17:22Z https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18274#M2629 <P>Thx very much. I test this tomorrow and I return my search as soon as I have good results.</P> Thu, 26 Jul 2012 17:47:55 GMT https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18274#M2629 LauraBre 2012-07-26T17:47:55Z https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18275#M2630 <P>Hello,</P> <P>I test this but I have a problem because I have to apply the span on all my search : <BR /> -eventstats count as "totalVE"<BR /> -eventstats count(eval(STAT_VE="N")) as "totalVENO"<BR /> -stats values(totalVENO) AS COMPTEUR, values(percent) AS TAUX</P> <P>But I don't know how can do it.</P> <P>Thanks by advance,</P> <P>Laura</P> Fri, 27 Jul 2012 08:28:55 GMT https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18275#M2630 LauraBre 2012-07-27T08:28:55Z https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18276#M2631 <P>I'm sorry I don't understand this question ... <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Fri, 27 Jul 2012 11:18:45 GMT https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18276#M2631 MHibbin 2012-07-27T11:18:45Z https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18277#M2632 <P>transaction is an answer but I don't know how can I apply this on my search because I have several subsearches. I want to calculate the taux for all the range time.</P> <P>Thx by advance,</P> <P>Laura</P> Fri, 27 Jul 2012 12:13:00 GMT https://community.splunk.com/t5/Splunk-Search/span-5min-for-the-last-15min/m-p/18277#M2632 LauraBre 2012-07-27T12:13:00Z