Solved: Re: Eval value based on timerange - Page 2

cpeteman · ‎07-08-2013

Ok I'm rewriting this question as it has become much simpler than before. All I need to do is have a way the get the length of the current time range I am searching over (as a variable I hope) so that I can use it in eval. What I have right now is:

search term |bucket _time span=1m | stats count by _time,punct | eval occurred=if(count!=0,1,0)| stats sum(count) AS sum,sum(occurred) AS num_of_mins_occurred,mean(count) AS mean,stdev(count) AS standard_deviation by punct |eval hourly=if((num_of_mins_occurred/4)=1,"True","False")

lguinn2 · ‎07-09-2013

There is a Splunk command addinfo that adds some fields to your search results. See addinfo for more info 🙂
To calculate the time range of a search:

yoursearchhere
| addinfo
| eval searchRange = info_max_time - info_min_time
| eval searchRangeOutput=tostring(searchRange,"duration")

Note that searchRange will be in seconds. Also, the solution in the comments will compute the time range of the resulting events. This answer will compute the time range of the search itself, regardless of what events are returned.

View solution in original post

aholzer · ‎07-09-2013

Like:
search_terms | bucket _time span=1m | eventstats latest(_time) as last, earliest(_time) as first | eval diff=round((last-first)/60/60 , 0)

This will round up to the nearest interger, avoiding the problem I mentioned above.

Also, I just noticed that you ran your eventstats after you ran a stats that does not contain _time as a field. This would also cause problems since the would be no _time field for the eventstats to work with. You'll need to use the eventstats prior to your second stats.

aholzer · ‎07-09-2013

Like I pointed out, if you are using a relative timerange, like "last 4 hours" or "last 24 hours", 99% of the time you'll get a value that includes seconds in it.

What this means for you, is that even if you convert your "num_of_mins_occurred" to seconds, by dividing twice by 60, you will get a decimal answer. It will be something like (4 /60 /60) / (4.01 /60 /60), which is not in fact == 1.

You should run a round or truncate on the answer to the diff before you try to use it in an eval.

Ran out of chars, see below

cpeteman · ‎07-08-2013

I'm afraid that this seems to only be giving me falses
when I try the following "search_term |bucket _time span=1m | stats count by _time,punct | eval occurred=if(count!=0,1,0)| stats sum(count) AS sum_events,sum(occurred) AS num_of_mins_occurred,mean(count) AS mean,stdev(count) AS standard_deviation by punct | eventstats latest(_time) as last, earliest(_time) as first | eval hourly=if((num_of_mins_occurred*60*60/(last-first))==1,"True","False")"

aholzer · ‎07-08-2013

To calculate the number dynamically you may want to calculate the latest(_time) and the earliest(_time) and do a diff on them. You can do this by running an eventstats after your bucketing (to round to the minute).

This will give you the value in hours in the field named "diff":

search_terms | bucket _time span=1m | eventstats latest(_time) as last, earliest(_time) as first | eval diff=(last-first)/60/60

I should mention that if you use "last 4 hours" you will likely get decimal places in your calculation. You can just add a function to truncate or round the decimals if you want.

Eval value based on timerange

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!