Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find field values from the results of a search?

ewanbrown967
Engager
‎09-13-2023 09:04 AM

Hello,

I have a search as shown below which gives me the start time (start_run), end time (end_run) and duration when the value of (ValueE) is greater than 20 for the Instrument (my_inst_226).

I need to get the values (ValueE) from 11 other Instrument for the duration of my_inst_226 while ValueE is greater than 20

I would like to use "start_run" and "end_run"  to find the value of (ValueE).  I'm thinking that "start_run" and "end_run" would be variables that I can use when searching the ValueE for my 11 other Instruments but I am stuck on how I can use "start_run" and "end_run" for the next stage of my search.

 

index=my_index_plant sourcetype=my_sourcetype_plant Instrument="my_inst_226"
| sort 0 Instrument _time
| streamstats global=false window=1 current=false last(ValueE) as previous by Instrument
| eval current_over=if(ValueE > 20, 1, 0)
| eval previous_over=if(previous > 20, 1, 0)
| eval start=if(current_over=1 and previous_over=0,1,0)
| eval end=if(current_over=0 and previous_over=1,1,0)
| where start=1 OR end=1
| eval start_run=if(start=1, _time, null())
| eval end_run=if(end=1, _time, null())
| filldown start_run end_run
| eval run_duration=end_run-start_run
| eval check=_time
| where end=1
| streamstats count as run_id
| eval earliest=strftime(start_run, "%F %T")
| eval latest=strftime(end_run, "%F %T")
| eval run_duration=tostring(run_duration, "duration")
| table run_id earliest latest start_run end_run run_duration current_over previous_over end Instrument ValueE

 

Any and all tips, help and advice will be gratefully received.

Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-14-2023 12:15 AM

The most blunt way to implement this would be to use the constraint on ValueE as subsearch to establish search period (earliest, latest).  I will assume that ValueE and all the other 11 values are already extracted by Splunk.  I will call them other_field01, other_field02, etc.

Here is an idea if you are only interested in distinct values of these.

index=my_index_plant sourcetype=my_sourcetype_plant
    [index=my_index_plant sourcetype=my_sourcetype_plant Instrument="my_inst_226" ValueE > 20
    | stats min(_time) as earliest max(_time) as latest]
| stats values(other_field01) as other_field01 values(other_field02) as other_field02, ... values(ValueE) as ValueE by Instrument

Hope this helps.

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...