Splunk Search
Highlighted

How to only show stats max(value) where min(value) is greater than 0 in the last 5 minutes?

Engager

Hi all, just getting started and trying to get something together quickly to show management so forgive asking what is probably a trivial question.

I have a log file which is written to each minute with a count of messages in a number of queues. I have a chart showing those queues with a none zero count over the last five minutes.

source=".log" id="queue.*" value>0 | stats max(value) by id

I want it to only display queues where the count has not been zero in the previous five minutes as I only care about queues that are not emptying.

I have tried things along the lines of

source=".log" id="queue.*" value>0 | stats max(value) by id | where min(value) > 0

But cannot get it right, can someone point me in the right direction please.

Tags (4)
0 Karma
Highlighted

Re: How to only show stats max(value) where min(value) is greater than 0 in the last 5 minutes?

Builder

HI,

Following query should help:

source=".log" id="queue.*"  | stats max(value) as MAX, min(value) as MIN by id | where MIN  > 0

Thanks!!

View solution in original post