I have an example query where I show the elapsed
time for all log lines where detail
equals one of three things, and I show the stats of the elapsed
field:
normalized_source=http_plugin (detail=/online/public/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) |
stats avg(elapsed), median(elapsed), p90(elapsed) by detail
So an issue I run into is it matches both where detail
equals "successfulLogin" as well as "successfullogin" (with a second lowercase L). The "successfullogin" exists in the logs because of tests done against the production environment, but doesn't reflect useful data. In fact, there are only 2 or 3 logs of the "successfullogin" whereas there are 40,000+ of all the other. I'd like to remove that result so I just show the three, because I am interested in the visualization of this (and I don't want a random 4th result). There are 3 ways I could go about this:
1. Limit the results to three
2. Make the detail=
case sensitive
3. Show only the results where count
is greater than, say, 10.
I don't really know how to do any of these (I'm pretty new to Splunk). I have tried option three with the following query:
normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10
However, this includes the count field in the results. This is fine except when I turn this into a bar chart, the count column skews the other values (since it is so much larger). How could I redo that query to omit the count
field?
(And for extra credit, how would I redo the first query to do option 1 and 2? I keep trying to modify the query and does not give me the expected results.)
Hi @mplautz
Can you try using the fields command in your 2nd search query and see if it works for you?
normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 | fields - count
Hi @mplautz
Can you try using the fields command in your 2nd search query and see if it works for you?
normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 | fields - count
I saw you posted this an answer before it was a comment. Now I cannot give you "correct answer" credit.
Just converted it back to an answer 🙂 glad it worked!
That's it, it worked! I suppose I should have been more thorough in my Google searches to try to see how to remove columns from results.