Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Inconsistent behavior with eval after stats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this query that matches two types of events, sending a request and receiving an answer. My goal is to take the time both of these happens to see how long the question/answer process takes:
index = "application" ("request sent" OR "answer received")
| rex field=_raw ".*\s+:\s+(?<label>\w+).+\s+(?<guid>[a-z\d-]+)$"
| eval status=if(label="answer","complete","start")
| eval start_time=if(status="complete",null,_time), end_time=if(status="complete",_time,null)
| stats min(start_time) as startT, min(end_time) as endT by guid
| eval exportTimeInMinutes=abs(end_time-start_time)/60
This query works fine and I use it as a template for others. But the problem I am having is that I want to see a screen stats table which includes the exportTimeInMinutes column. When I first write this query I got back a table with 4 columns: guid, startT, endT and exportTimeInMinutes
However, when I come back into the page in a future session I no longer see the last column. Sometimes refreshing the page allows it to show up, other times it does not. Is this a bug (or even worse... a feature)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The output fields from line 5 of your SPL are startT, endT and guid.
The required inputs for eval is end_time & start_time which are not inline.
change eval statement as shown below.
| eval exportTimeInMinutes=abs(endT-startT)/60
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The output fields from line 5 of your SPL are startT, endT and guid.
The required inputs for eval is end_time & start_time which are not inline.
change eval statement as shown below.
| eval exportTimeInMinutes=abs(endT-startT)/60
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It definitely helped. Thank you so much!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
