- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Info_max_time and info_min_time issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i have a problem with those fields. I use them in my query to calculate some average statistics.
When i select "All time" in the timerange i get:
info_max_time = "+Infinity"
info_min_time = 0.000
Solution for how to get a valid info_max_time comes up with this:
| eval info_min_time=if(info_max_time="+Infinity", min(_time), info_min_time)
But how could i interpret the info_min_time? Sitting it to zero is not applicable, because i use those values for the statistics and none of them could be zero.
I also don't have a _time field, so query like this:
| eventstats min(_time) as min_time
| eval info_min_time=if(info_max_time="+Infinity", min_time, info_min_time)
won't help
Any suggestions?
Many thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
info_min_time and info_max_time represent the bounds of your search - time window. So 'All time' will be 0::infinity.Try setting the time window to '7 days' and you will see epoch time limits for both values.
Additionally - you should have a _time field. It's present for all events and is the date/time of the event that you see. Try using | eval time=_time to see values represented in the variable 'time'.
Also ... if I understand correctly what you are trying to report - "the minimum and maximum timestamps for the results of the search query" - you can use | eventstats max(_time) as maxtime, min(_time) as mintime to populate the min / max _time values present in your query results data.
Sam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
info_min_time and info_max_time represent the bounds of your search - time window. So 'All time' will be 0::infinity.Try setting the time window to '7 days' and you will see epoch time limits for both values.
Additionally - you should have a _time field. It's present for all events and is the date/time of the event that you see. Try using | eval time=_time to see values represented in the variable 'time'.
Also ... if I understand correctly what you are trying to report - "the minimum and maximum timestamps for the results of the search query" - you can use | eventstats max(_time) as maxtime, min(_time) as mintime to populate the min / max _time values present in your query results data.
Sam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've done exactly how you'd posted, thanks
however, there are some principal differences between info_max/min_time and just _time. The main difference is when you select "Last 30 days" info_min_time would be -30d, while min(_time) would be equal to the first syslog we have during this period.
If you calculate something average, then be ready, that the results would be very different from the time, when you've been using info_min/max_time.
This is for others, who will meet this problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is mathematically impossible to calculate an average where one of the numbers is infinity. In your case, it probably doesn't matter since you'll have events nearly constantly and samcogheil's solution is probably "good enough".
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
