Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit results with a condition before retrieving the final results

smirambe
Engager
‎11-16-2016 05:31 AM

Dear experts,

I apologize but I am new on Splunk and I have a question which can be really simple for you ...

I have just uploaded a file Inside Splunk for SAP jobs analyzing. The format is really simple :
JobName | StartDate | Duration

I have retrieved the jobs with the highest execution duration by the search -> stats count(JobName) avg(Duration_sec) by JobName

However, I want to add the following condition "Only the JobName with more than 100 exécutions should be counted".

How can I modify my query ?

Thanks really in advance.

Regards.

Stéphane

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2016 07:00 AM

Perhaps this is what you are looking for.

stats count(JobName) as Executions avg(Duration_sec) by JobName | where Executions > 100
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

smirambe
Engager
‎11-16-2016 09:05 AM

Thanks really for all, both solutions work perfectly. The second one is perhaps simplest ...

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2016 07:00 AM

Perhaps this is what you are looking for.

stats count(JobName) as Executions avg(Duration_sec) by JobName | where Executions > 100
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

TiagoTLD1
Communicator
‎11-16-2016 06:29 AM

Hi

1st scenario: gives you the jobs that were executed more than 100 times

| stats count(JobName) AS COUNTER avg(Duration_sec) AS AVG_DURATION by JobName | where COUNTER>100 | table JobName, AVG_DURATION

2nd scenario: if you want to calculate the avg_duration of jobs that were executed more than 100 times, you can do this:

| eventstats count(JobName) AS COUNTER by JobName | where COUNTER>100 | stats avg(Duration) as AVG_DURATION by JobName | table JobName, AVG_DURATION

That returns only the

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...