Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display result when comparing 3 fields, only show greater by 100 for one field

baustin612
Explorer
‎07-29-2020 02:11 PM

I have a search that is giving me this data set:

ID             status       Stamp
alex         esb            1595989827764
alex         fuz             1595989827762
jake         esb            1596056447122
jake         fuz             1596056447085
josh         esb            1596054751935
josh         fuz             1596054751852
stefan    esb             1596056406846
stefan    fuz              1596056406806

I want to compare the Stamp by ID, and show any ID's where the stamp for esb is great than the stampe for fuz by at least 100. Any help appreciated.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-29-2020 03:44 PM

Hi

Your Stamps haven't any greater than 100 so I use greater than 50.

index=_internal | head 1
| eval _raw="ID,             status,       Stamp
alex,esb,1595989827764
alex,fuz,1595989827762
jake,esb,1596056447122
jake,fuz,1596056447085
josh,fuz,1596054751852
josh,esb,1596054751935
stefan,esb,1596056406846
stefan,fuz,1596056406806" 
| multikv forceheader=1
| eval stamp=tonumber(trim(stamp))
| rename COMMENT as "previous prepare sample data"
| eval esb_stamp = if(status == "esb", Stamp, null())
| eventstats range(Stamp) as duration values(esb_stamp) as esb_stamp by ID
| table duration ID status Stamp esb_stamp
| where esb_stamp >= 50 + Stamp

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-29-2020 02:38 PM

|stats range(Stamp) as duration by ID

|where duration > 100

Reply
Solved! Jump to solution

baustin612
Explorer
‎07-29-2020 02:53 PM

Thank you for the quick reply!

How does this take into account status? I only want to display those where 'esb' timestamp is >= 'fuz' timestamp +100.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-29-2020 03:44 PM

Hi

Your Stamps haven't any greater than 100 so I use greater than 50.

index=_internal | head 1
| eval _raw="ID,             status,       Stamp
alex,esb,1595989827764
alex,fuz,1595989827762
jake,esb,1596056447122
jake,fuz,1596056447085
josh,fuz,1596054751852
josh,esb,1596054751935
stefan,esb,1596056406846
stefan,fuz,1596056406806" 
| multikv forceheader=1
| eval stamp=tonumber(trim(stamp))
| rename COMMENT as "previous prepare sample data"
| eval esb_stamp = if(status == "esb", Stamp, null())
| eventstats range(Stamp) as duration values(esb_stamp) as esb_stamp by ID
| table duration ID status Stamp esb_stamp
| where esb_stamp >= 50 + Stamp

r. Ismo 

Reply
Solved! Jump to solution

baustin612
Explorer
‎08-06-2020 01:17 PM

Thank you very much! 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...