Solved: Re: Filtering data prior to timechart - finding va...

codekiln · ‎08-09-2021

I'm seeking to make a spunk timechart of values that match a certain filter:

source="/var/log/bcore/ws_metric*" event="WsMetricConnectEventType.connect_end" duration_seconds < 60*60 | timechart p95(duration_seconds) span=5m

Unfortunately, I'm clearly getting values that are longer than 60*60=3600 seconds. Many of the values for p95(duration_seconds) are actually somewhere in the range of 397k seconds.

How can I actually filter the data going into timechart?

richgalloway · ‎08-09-2021

You can't do math in the search command. Try where, instead or do the math yourself.

source="/var/log/bcore/ws_metric*" vent="WsMetricConnectEventType.connect_end" duration_seconds < 3600 
| timechart p95(duration_seconds) span=5m 


source="/var/log/bcore/ws_metric*" vent="WsMetricConnectEventType.connect_end" 
| where duration_seconds < 60*60 
| timechart p95(duration_seconds) span=5m

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-09-2021

You can't do math in the search command. Try where, instead or do the math yourself.

source="/var/log/bcore/ws_metric*" vent="WsMetricConnectEventType.connect_end" duration_seconds < 3600 
| timechart p95(duration_seconds) span=5m 


source="/var/log/bcore/ws_metric*" vent="WsMetricConnectEventType.connect_end" 
| where duration_seconds < 60*60 
| timechart p95(duration_seconds) span=5m

---
If this reply helps you, Karma would be appreciated.

Filtering data prior to timechart - finding values that are outside of filter

timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!