Splunk Search
Highlighted

How to edit my search to find all source_value_id fields where the d value is less than zero?

Explorer

When running this command: "low_seq=" "source_session_id" "-1177" | stats by _time,source_session_id,low_seq | delta low_seq as d | where d<0 | table _time, source_session_id, low_seq, d I get what I want for one sourcesessionid:

_time         source_session_id    low_seq  d
1:00:01 PM   -1177                 0          -4584

However, I have multiple sourcesessionid, so without "-1177", the search does not work: "low_seq=" "source_session_id" | stats by _time,source_session_id,low_seq | delta low_seq as d |table _time, source_session_id, low_seq, d.

How do I make it work so it finds all sourcesessionid where d<0?

I tried this: "low_seq=" "source_session_id" | stats values(low_seq) by source_session_id. it groups nicely for all sourcesessionid but I could not make it work with delta with stats(values) to get d<0,

Thank you.

0 Karma
Highlighted

Re: How to edit my search to find all source_value_id fields where the d value is less than zero?

Explorer

got it.

|  table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0

View solution in original post

0 Karma