topic Re: eval and "|search" question in Splunk Search

eval and "|search" question

cpeteman — Thu, 08 Aug 2013 15:56:36 GMT

So I have a search that runs over a 4h time span that Only gives results when the number of event of one kind are as manhy as or more than the number of hours. I want to be able to run over any timespan:

    search terms earliest=-4h latest=now() | ... |  stats count by _raw,TimeInHour,punct| 
 addinfo| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > 3

the search should look for results that have a count equal to the number of hours I searched over but if I write

   search terms earliest=-4h latest=now() | ... |  stats count by _raw,TimeInHour,punct  |addinfo
| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > hours-1

I get no results. Are count and hours not something I can compare, how do I change that?

Re: eval and "|search" question

linu1988 — Thu, 08 Aug 2013 17:09:13 GMT

Is count a field in the event?

and why do u use search count > hours-1? why not where count > hours-1. And rather than round could you use "floor"?

Re: eval and "|search" question

cpeteman — Thu, 08 Aug 2013 17:10:34 GMT

no it's from a stats pipe I''l add that part of the search.

Re: eval and "|search" question

emechler_splunk — Mon, 28 Sep 2020 14:31:57 GMT

It depends on how you're getting 'count'... Maybe this search will work for you?

search terms earliest=-4h | eventstats count | addinfo | eval hours = round((info_max_time - info_min_time)/3600,0) | where count > hours

Re: eval and "|search" question

cpeteman — Thu, 08 Aug 2013 17:16:18 GMT

changing search to where was all it took. Thanks!

Re: eval and "|search" question

davecroto — Thu, 08 Aug 2013 17:37:46 GMT

rename count "AS" something else and then use that something else to compare.

...|stats count AS foobar by _time |where foobar>25