- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filter a Chart with Values Greater Than some Integ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this query (time is in milliseconds and I converted it to seconds):
index=ABCD source=EFGH
| bin span=5m _time
| eval timeDiff=(endTime-startTime)/1000
| timechart span=5m eval(round(avg(timeDiff),3))
It gives me this data:
_time=13:45:00 timeDiff=0.479
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 timeDiff=0.627
_time=13:45:20 timeDiff=1.771
_time=13:45:25 timeDiff=0.855
_time=13:45:30 timeDiff=1.670
I am trying to create a chart that displays all the timeDiff that are > 1. (I am ok with the blank values.)
Example:
_time=13:45:00
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15
_time=13:45:20 timeDiff=1.771
_time=13:45:25
_time=13:45:30 timeDiff=1.670
I was thinking about doing something with the where argument, but I'm not sure.
If someone could help me out that would be awesome! Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To get from here:
_time=13:45:00 timeDiff=0.479
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 timeDiff=0.627
_time=13:45:20 timeDiff=1.771
_time=13:45:25 timeDiff=0.855
_time=13:45:30 timeDiff=1.670
To here:
_time=13:45:00
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15
_time=13:45:20 timeDiff=1.771
_time=13:45:25
_time=13:45:30 timeDiff=1.670
You can just add to the end:
| eval timeDiff=if(timeDiff>1,timeDiff,null)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To get from here:
_time=13:45:00 timeDiff=0.479
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15 timeDiff=0.627
_time=13:45:20 timeDiff=1.771
_time=13:45:25 timeDiff=0.855
_time=13:45:30 timeDiff=1.670
To here:
_time=13:45:00
_time=13:45:05 timeDiff=1.716
_time=13:45:10 timeDiff=1.276
_time=13:45:15
_time=13:45:20 timeDiff=1.771
_time=13:45:25
_time=13:45:30 timeDiff=1.670
You can just add to the end:
| eval timeDiff=if(timeDiff>1,timeDiff,null)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is exactly what I needed. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is this some sort of a pseudo code? firstly what is the link between timeDiff and cleanse time. you also can not use eval in a tiemchart like that, you have to rename it like this - | timechart span=5m eval(round(avg(cleanseTime),3)) as x
what are you trying to do exactly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry cleanseTime is actually timeDiff. Let me fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<your search > | where timeDiff>1 works for you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried that and I get no results.
Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)
Tech Talk | One Log to Rule Them All
Splunk Security Content for Threat Detection & Response, Q1 Roundup
