Splunk Search

Can you help me with the where command?

jip31
Motivator

alt textHello,

I use the seatrch below

index="*" sourcetype="*"
| eval Boot_Duration=coalesce('Durée du démarrage      ','Boot Duration        ','Startdauer       ','Duración del arranque       ') 
| dedup host 
| stats count by host

Boot_Duration is a number value.

I want to check only the number values >100000

So I do

| where Boot_Duration>100000

But it doesn't work.

Could you help me please??

Tags (2)
0 Karma
1 Solution

nickhills
Ultra Champion

Try:

index="" sourcetype=""
| eval Boot_Duration=coalesce('Durée du démarrage ','Boot Duration ','Startdauer ','Duración del arranque ') 
| rex field=Boot_Duration (?P<Boot_Duration>^\d+)
| search Boot_Duration>=100000
| dedup host 
| stats count by host

Your stats command 'looses' the Boot Duration field, so you either need to filter it before the stats, or bring the field through after your stats command has produced results

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

woodcock
Esteemed Legend

You need to pass Boot_Duration through the stats so try using this instead:

| stats count, max(Boot_Duration) as Boot_Duration BY host

Or perhaps you would prefer avg() or min() over max().

0 Karma

woodcock
Esteemed Legend

Try this (stop using dedup and surely your fields do not really have all of those spaces in them, do they?):

index="*" sourcetype="*"
| eval Boot_Duration=coalesce('Durée du démarrage',' Boot Duration', 'Startdauer', 'Duración del arranque')
| where Boot_Duration>100000
| stats count by host
0 Karma

jip31
Motivator

thanks woodcok but i prefer to use the code of nickhillscpl because I need a regex in order to extract "ms" after the boot duration....

0 Karma

jip31
Motivator

same problem...
and unfortunately there is the space in the fields...

0 Karma

tiagofbmm
Influencer

@jip31 can you paste here a couple of your events examples please ?

0 Karma

jip31
Motivator

hi I have added the events in attachment

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jip31

Can you please share sample events?

0 Karma

nickhills
Ultra Champion

Try:

index="" sourcetype=""
| eval Boot_Duration=coalesce('Durée du démarrage ','Boot Duration ','Startdauer ','Duración del arranque ') 
| rex field=Boot_Duration (?P<Boot_Duration>^\d+)
| search Boot_Duration>=100000
| dedup host 
| stats count by host

Your stats command 'looses' the Boot Duration field, so you either need to filter it before the stats, or bring the field through after your stats command has produced results

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

Thanks a lot

0 Karma

nickhills
Ultra Champion

responding to a comment above:

"wait - Boot_Duration includes 'ms' too?
This means its a string, not a number, and, you can't perform arithmetic logic on a string!"

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

I have edited the answer above to work if your duration field includes a unit of time (like 'ms')
This works by taking just the digits and stripping any letters from the field, so you can perform math comparisons on the field.

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

You mean that i have to do something like this :
| where Boot_Duration>100000. "ms" ???

0 Karma

nickhills
Ultra Champion

No - try my example above.
In this case I am performing a regex on your Boot_Duration field - I read the entire field contents which I (now) assume contains something like "100929ms"
After the rex command, Boot_Duration will now only contain numbers ie "100929". Because this field is now numeric, you can perform <> operations on the values.

If my comment helps, please give it a thumbs up!
0 Karma

tiagofbmm
Influencer

Use rex to extract only the number part of the field and then use Boot_Duration>1000

0 Karma

tiagofbmm
Influencer

You need to keep the boot duration on your stats command

| stats count, values(Boot_Duration) as Boot_Duration by host

Then you can your | where Boot_Duration>100000

0 Karma

jip31
Motivator

tiago
it doesnt works
I think its because the boot duration has a value no?
for example : 100000ms

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...