Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return search results for a field with a duration greater than 0 for each month?

ttudor
Explorer
‎02-02-2015 01:30 PM

I have the following fields stu_id, duration, and date_month. I want to do a search to display all sru_id's that have a duration greater than 0 in every one of the following months: Sept, Oct, Nov, Dec and Jan. I can get as far as returning stu_id's with duration greater than 0, but I cannot figure out how to trim those results to only include stu_id's where they had duration greater than 0 for every month listed above.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-02-2015 02:05 PM

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months. 

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-02-2015 02:05 PM

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months. 

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0
Reply
Solved! Jump to solution

ttudor
Explorer
‎02-04-2015 11:05 AM

Thank, this worked.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-02-2015 01:57 PM

Try this

index=yourIndex sourcetype=yourSourcetype duration>0 (date_month="septempber" OR date_month="october" OR date_month="november" OR date_month="december" OR date_month="january") | table sru_id duration date_month
0 Karma
Reply
Solved! Jump to solution

ttudor
Explorer
‎02-02-2015 02:05 PM

Thanks. I tried that I do not need and OR, I need AND. The stu_ids must have been used in all of the months, not september OR october.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...