Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to exclude a row with respect to certain times...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to exclude a row with respect to certain timestamp using outlier
Hi,
i have the below table data where i have timecharted for 1hr time span i want to remove the row which is in red colour as it is coming with different time when compare to other data.
can i be using outlier command to perform this operation and how i can achieve this requirement.
Thank you in advance,
| _time | B | C | D | E | F |
| 2023-10-06 22:00 | |||||
| 2023-10-07 22:00 | |||||
| 2023-10-08 22:00 | |||||
| 2023-10-09 09:00 | |||||
| 2023-10-09 22:00 | |||||
| 2023-10-10 09:00 | |||||
| 2023-10-10 22:00 | |||||
| 2023-10-11 22:00 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer
Sorry for the delay.
my expectation is, suppose everyday we have data at 22:00 we need to keep that data and ignore the rest other data.
can outlier be the option to ignore the data coming with different timestamp?
please note: it is not always 22:00 data it can we any time but we have to ignore the other timestamp data apart from the usual one.
base search:
| mstats sum(Entity.InMessageCount.count.Sum) as count span=1h where index=cloudwatch_metrics AND Namespace=Entity AND Environment=prod AND EntityName="Order.SupplierDepot" AND ServiceDenomination=OutboundBatcher by Namespace, Environment, ServiceDenomination, MetricName, EntityName
| where count > 0
Output:
| _time | Namespace | Environment | ServiceDenomination | MetricName | EntityName | Count | 2023-10-06 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 1 | 2023-10-07 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 2 | 2023-10-08 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 3 | 2023-10-09 09:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 4 | 2023-10-09 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 5 | 2023-10-10 09:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 6 | 2023-10-10 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 7 | 2023-10-11 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 8 | 2023-10-11 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier |
9 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is not really enough information here to be able to easily help you. Please can you share your full search and some anonymised sample events for the volunteers to work with.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ITWhisperer ,
Is the above data is sufficient to resolve this issue. could you please help me in this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really. It doesn't tell me what data you are dealing with nor what search you are using.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer
my expectation is, suppose everyday we have data at 22:00 we need to keep that data and ignore the rest other data.
can outlier be the option to ignore the data coming with different timestamp?
please note: it is not always 22:00 data it can we any time but we have to ignore the other timestamp data apart from the usual one.
base search:
| mstats sum(Entity.InMessageCount.count.Sum) as count span=1h where index=cloudwatch_metrics AND Namespace=Entity AND Environment=prod AND EntityName="Order.SupplierDepot" AND ServiceDenomination=OutboundBatcher by Namespace, Environment, ServiceDenomination, MetricName, EntityName | where count > 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Output
| _time | Namespace | Environment | ServiceDenomination | MetricName | EntityName | Count |
| 2023-10-06 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 1 |
| 2023-10-07 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 2 |
| 2023-10-08 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 3 |
| 2023-10-09 09:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 4 |
| 2023-10-09 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 5 |
| 2023-10-10 09:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 6 |
| 2023-10-10 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 7 |
| 2023-10-11 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 8 |
| 2023-10-11 22:00 | Entity | Test | TestBoundBatch | TestMessageCount | TestOrder.Supplier | 9 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
| where strftime(_time, "%H") != "22"
Fun with Regular Expression - multiples of nine
[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...
What’s New & Next in Splunk SOAR
