Solved: Converting the result from my search

exchanger · ‎03-02-2021

Hello, i think its not that difficult, but i dont know how to do it.

The result is in milliseconds. Is there an easy way to convert these milliseconds into seconds?

Best regards

KailA · ‎03-02-2021

Hello exchanger,

You can use the eval fonction.

Try this :

Your search
| stats avg(duration) as avg_duration, perc50(duration) as perc50_duration, perc75(duration) as perc75_duration, max(duration) as max_duration
| eval avg_duration = avg_duration / 1000

And you can do that for each field if you want.

Let me know if it helps you 🙂

View solution in original post

KailA · ‎03-02-2021

Hello exchanger,

You can use the eval fonction.

Try this :

Your search
| stats avg(duration) as avg_duration, perc50(duration) as perc50_duration, perc75(duration) as perc75_duration, max(duration) as max_duration
| eval avg_duration = avg_duration / 1000

And you can do that for each field if you want.

Let me know if it helps you 🙂

exchanger · ‎03-02-2021

@KailA

Yes thats works perfect. Thanks 🙂

Another last question:

I have more then one search

Like first query

my search

second query

my search2

third query...

Is there a way to combine these queries, so that i can search multiple queries with one search?

KailA · ‎03-02-2021

Yes it's possible.

The worst (but working) solution is using the append function (https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Append)

I said worst because it's not the most efficient way.

If you need help for that you should create another post, and if possible put all the queries you want to merge, someone will help you 🙂

For this post, you can mark my answer as the solution to close it

exchanger · ‎03-02-2021

Thanks for this information. I used the append function and it worked 🙂

Converting the result from my search

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life