Hi all,
I have a token "range" which is in the format 0-2, 2-5, 5-10, 10-100 .. I am splitting it by "-" and saving the the values as "minor" and "major". When i try to use those values in the query i am not able to get the results. The query is as follows.
search index= "abc" sourcetype="xyz"| eval range = "$time$"| eval temp=split(range,"-")| eval minor=mvindex(temp,0)| eval major=mvindex(temp,1)|search duration>minor AND duration<=major| table task duration URL
I am not able to display the table. Can anyone please help me in this.
Try this out:
index=_audit source=audittrail sourcetype=audittrail info=completed
| eval range = "0-2"
| eval var = split(range,"-")
| eval low = mvindex(var,0)
| eval high = mvindex(var,1)
| eval total_run_time=round(total_run_time/60,2)
| stats sum(total_run_time) AS Total_Min by user low high
| where Total_Min>low AND Total_Min<high
Try this out:
index=_audit source=audittrail sourcetype=audittrail info=completed
| eval range = "0-2"
| eval var = split(range,"-")
| eval low = mvindex(var,0)
| eval high = mvindex(var,1)
| eval total_run_time=round(total_run_time/60,2)
| stats sum(total_run_time) AS Total_Min by user low high
| where Total_Min>low AND Total_Min<high
thank you so much it is working properly now. Can you please tell me what was the mistake i did there?
Hi,
i assume that you did not get any results because you used search instead of where.
Try your code with "where"...might already do the trick.
Regards,
Mike
Oh yes.. i used search.. thank you!
Hi,
one major question stands in the room. Is the content you apply split to:
0-2, 2-5, 5-10, 10-100
OR is it:
0-2
2-5
etc.
?
I have to split 0-2 into 0 and 2. I just mentioned remaining as examples for the values for the token.