Splunk Search

Filter a Chart with Values Greater Than some Integer.

3666142
Path Finder

I have this query (time is in milliseconds and I converted it to seconds):

index=ABCD source=EFGH
| bin span=5m _time
| eval timeDiff=(endTime-startTime)/1000
| timechart span=5m eval(round(avg(timeDiff),3))

It gives me this data:

_time=13:45:00 timeDiff=0.479
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 timeDiff=0.627
_time=13:45:20 timeDiff=1.771
_time=13:45:25 timeDiff=0.855
_time=13:45:30 timeDiff=1.670

I am trying to create a chart that displays all the timeDiff that are > 1. (I am ok with the blank values.)
Example:
_time=13:45:00

_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15

_time=13:45:20 timeDiff=1.771
_time=13:45:25

_time=13:45:30 timeDiff=1.670

I was thinking about doing something with the where argument, but I'm not sure.
If someone could help me out that would be awesome! Thank you.

0 Karma
1 Solution

memarshall63
Communicator

To get from here:

     _time=13:45:00 timeDiff=0.479
     _time=13:45:05 timeDiff=1.716
     _time=13:45:10 timeDiff=1.276
     _time=13:45:15 timeDiff=0.627
     _time=13:45:20 timeDiff=1.771
     _time=13:45:25 timeDiff=0.855
     _time=13:45:30 timeDiff=1.670

To here:

_time=13:45:00 
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 
_time=13:45:20 timeDiff=1.771
_time=13:45:25 
_time=13:45:30 timeDiff=1.670

You can just add to the end:

   | eval timeDiff=if(timeDiff>1,timeDiff,null)

View solution in original post

memarshall63
Communicator

To get from here:

     _time=13:45:00 timeDiff=0.479
     _time=13:45:05 timeDiff=1.716
     _time=13:45:10 timeDiff=1.276
     _time=13:45:15 timeDiff=0.627
     _time=13:45:20 timeDiff=1.771
     _time=13:45:25 timeDiff=0.855
     _time=13:45:30 timeDiff=1.670

To here:

_time=13:45:00 
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 
_time=13:45:20 timeDiff=1.771
_time=13:45:25 
_time=13:45:30 timeDiff=1.670

You can just add to the end:

   | eval timeDiff=if(timeDiff>1,timeDiff,null)

3666142
Path Finder

That is exactly what I needed. Thank you!

0 Karma

Sukisen1981
Champion

is this some sort of a pseudo code? firstly what is the link between timeDiff and cleanse time. you also can not use eval in a tiemchart like that, you have to rename it like this - | timechart span=5m eval(round(avg(cleanseTime),3)) as x

what are you trying to do exactly?

0 Karma

3666142
Path Finder

Sorry cleanseTime is actually timeDiff. Let me fix it.

0 Karma

mayurr98
Super Champion

<your search > | where timeDiff>1 works for you?

0 Karma

3666142
Path Finder

I have tried that and I get no results.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...