https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190096#M54734 <P>Hi fgysin,</P> <P>you can use the filter in your base search like this:</P> <PRE><CODE> eventtype="app" dT&lt;3600000 | timechart avg(dT) </CODE></PRE> <P>cheers, MuS</P> Thu, 21 Aug 2014 12:43:08 GMT MuS 2014-08-21T12:43:08Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190095#M54733 <P>So, our application logs duration times of logged method calls as <CODE>..dT=XXXms..</CODE> and I would like to use this for nice splunk graphs.</P> <P>This works brilliantly if I use a query like this (in advanced charting view)</P> <PRE><CODE>eventtype="app" dT | timechart avg(dT) </CODE></PRE> <P>My Problem is, that the application rarely logs absurdly high duration times going up to several years - clearly a bug of the logging framework we are using.</P> <P>These high dT values sadly totally screw up my nice timechart graphs, and mess with statistics. How can I filter out these values?<BR /> I already tried filtering those log statements using a <CODE>where</CODE> clause, but so far this has not worked for me - result set stays empty.</P> <PRE><CODE>eventtype="app" dT | where dT&lt;3600000 | timechart avg(dT) </CODE></PRE> <P>Any ideas would be much appreciated!</P> Thu, 21 Aug 2014 12:35:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190095#M54733 fgysin 2014-08-21T12:35:13Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190096#M54734 <P>Hi fgysin,</P> <P>you can use the filter in your base search like this:</P> <PRE><CODE> eventtype="app" dT&lt;3600000 | timechart avg(dT) </CODE></PRE> <P>cheers, MuS</P> Thu, 21 Aug 2014 12:43:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190096#M54734 MuS 2014-08-21T12:43:08Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190097#M54735 <P>Hmm, that does not work for me... The is graph still plotting average values which lie in the millions and billions.</P> Thu, 21 Aug 2014 12:46:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190097#M54735 fgysin 2014-08-21T12:46:17Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190098#M54736 <P>take this run everywhere example:</P> <PRE><CODE> index=_internal earliest=-2h@h latest=-1h@h kb | where kb&lt;128 | stats count index=_internal earliest=-2h@h latest=-1h@h kb&lt;128 | stats count </CODE></PRE> <P>both will return the same count. Is this dT field numeric or a string?</P> Thu, 21 Aug 2014 12:57:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190098#M54736 MuS 2014-08-21T12:57:07Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190099#M54737 <P>ahh I see, your field is like dT=XXXms ... so remove the <CODE>ms</CODE> first and then you can filter <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 21 Aug 2014 12:59:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190099#M54737 MuS 2014-08-21T12:59:10Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190100#M54738 <P>Ah I see. So how would I remove the ms? With the <CODE>rex</CODE> command?</P> Thu, 21 Aug 2014 13:30:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190100#M54738 fgysin 2014-08-21T13:30:02Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190101#M54739 <P>eventtype="app" dT | eval dT = tonumber(substr(dT,0,len(dT)-2)) | where dT&lt;3600000 | timechart avg(dT)</P> Thu, 21 Aug 2014 13:34:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190101#M54739 strive 2014-08-21T13:34:15Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190102#M54740 <P>Awesome stuff, much appreciated.</P> Thu, 21 Aug 2014 14:00:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-numeric-field-with-where-clause/m-p/190102#M54740 fgysin 2014-08-21T14:00:55Z