Splunk Search

How to edit my search to find all source_value_id fields where the d value is less than zero?

Explorer

When running this command: "low_seq=" "source_session_id" "-1177" | stats by _time,source_session_id,low_seq | delta low_seq as d | where d<0 | table _time, source_session_id, low_seq, d I get what I want for one source_session_id:

_time         source_session_id    low_seq  d
1:00:01 PM   -1177                 0          -4584

However, I have multiple source_session_id, so without "-1177", the search does not work: "low_seq=" "source_session_id" | stats by _time,source_session_id,low_seq | delta low_seq as d |table _time, source_session_id, low_seq, d.

How do I make it work so it finds all source_session_id where d<0?

I tried this: "low_seq=" "source_session_id" | stats values(low_seq) by source_session_id. it groups nicely for all source_session_id but I could not make it work with delta with stats(values) to get d<0,

Thank you.

0 Karma
1 Solution

Explorer

got it.

|  table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0

View solution in original post

0 Karma

Explorer

got it.

|  table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!