Splunk Search

Filter a Chart with Values Greater Than some Integer.

Path Finder

I have this query (time is in milliseconds and I converted it to seconds):

index=ABCD source=EFGH
| bin span=5m _time
| eval timeDiff=(endTime-startTime)/1000
| timechart span=5m eval(round(avg(timeDiff),3))

It gives me this data:

_time=13:45:00 timeDiff=0.479
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 timeDiff=0.627
_time=13:45:20 timeDiff=1.771
_time=13:45:25 timeDiff=0.855
_time=13:45:30 timeDiff=1.670

I am trying to create a chart that displays all the timeDiff that are > 1. (I am ok with the blank values.)
Example:
_time=13:45:00

_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15

_time=13:45:20 timeDiff=1.771
_time=13:45:25

_time=13:45:30 timeDiff=1.670

I was thinking about doing something with the where argument, but I'm not sure.
If someone could help me out that would be awesome! Thank you.

Tags (3)
1 Solution
Communicator

To get from here:

``````     _time=13:45:00 timeDiff=0.479
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 timeDiff=0.627
_time=13:45:20 timeDiff=1.771
_time=13:45:25 timeDiff=0.855
_time=13:45:30 timeDiff=1.670
``````

To here:

``````_time=13:45:00
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15
_time=13:45:20 timeDiff=1.771
_time=13:45:25
_time=13:45:30 timeDiff=1.670
``````

You can just add to the end:

``````   | eval timeDiff=if(timeDiff>1,timeDiff,null)
``````
Communicator

To get from here:

``````     _time=13:45:00 timeDiff=0.479
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 timeDiff=0.627
_time=13:45:20 timeDiff=1.771
_time=13:45:25 timeDiff=0.855
_time=13:45:30 timeDiff=1.670
``````

To here:

``````_time=13:45:00
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15
_time=13:45:20 timeDiff=1.771
_time=13:45:25
_time=13:45:30 timeDiff=1.670
``````

You can just add to the end:

``````   | eval timeDiff=if(timeDiff>1,timeDiff,null)
``````
Path Finder

That is exactly what I needed. Thank you!

Champion

is this some sort of a pseudo code? firstly what is the link between timeDiff and cleanse time. you also can not use eval in a tiemchart like that, you have to rename it like this - | timechart span=5m eval(round(avg(cleanseTime),3)) as x

what are you trying to do exactly?

Path Finder

Sorry cleanseTime is actually timeDiff. Let me fix it.

Super Champion

`<your search > | where timeDiff>1` works for you?

Path Finder

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...