Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for values greater than 90 days?

willsy
Communicator
‎04-19-2023 01:05 AM

index=test sourcetype=csv source=prtg.csv host=prtg device=all "Down for"=*
| rename "Down for" AS Downtime
| eval "Downtime"=replace('Downtime',"d","")
| dedup _raw
| table Device, Downtime

Is there a way to only show any devices with a downtime greater than 90 in that table?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 03:10 AM

Hi @willsy,

let me understand do you have values like "54 d" or value in epochtime, or both?

if of the first type, you can use a regex like the following to extract days:

| rex "(?<downtime_days>\d*)\s+d"

if of the second type, you can use eval and divide for the number of seconds in a day:

| eval downtime_days=your_field/86400

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 01:39 AM

Hi @willsy,

which is the time format of Downtime?

define the threshold in the same time unit and then use the where command to make a filter, 

so e.g. Downtime is expressed in days, you can use 

| where Downtime>90

if it's expressed in seconds, you can use:

| where Downtime>7776000

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 02:25 AM

Also just to add,

When i add
| where Downtime>90

i get the error

Error in "where" command: Type checking failed. the '>' operator received different types

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 02:53 AM

Hi @willsy,

see what you have in the Downtime field, maybe there are different formats values: e.g. sometime 10, and sometimes 10d.

identify the different choices and extract the numers using a regex.

If you share some samples containing all the choices, I could help you.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 02:59 AM

@gcusellothank you for getting back to me so fast,

i have various formats of,

54 d
125 d
12 h 2 m
4 d 4 d 29 m

I do have a raw value for the time though that i can use, that is under epoch times.

"Down for_RAW"
0000000016415216
0000000000141890
0000000000067157

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 03:10 AM

Hi @willsy,

let me understand do you have values like "54 d" or value in epochtime, or both?

if of the first type, you can use a regex like the following to extract days:

| rex "(?<downtime_days>\d*)\s+d"

if of the second type, you can use eval and divide for the number of seconds in a day:

| eval downtime_days=your_field/86400

Ciao.

Giuseppe

Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 03:18 AM

Absolute scholar and a gent.

thank you so very much.

i used the
| eval downtime_days=Downtime/86400

seems super simle now i can see it but i couldnt get my head round it, thanks you so very much.

0 Karma
Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 02:22 AM

Hey @gcusello 

So thats what i originally had in my search however it only resulted in a single device with value of 96.

where as there are 9 devices with a higher than 90 value.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...