Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to use a span that is equal to the time range picker?

Stijn
Loves-to-Learn
‎02-16-2023 05:29 AM

source=PR1 sourcetype="sap:abap" EVENT_TYPE=STAD EVENT_SUBTYPE=MAIN TCODE="ZORF_BOX_CLOSING" SYUCOMM="SICH_T" ACCOUNT=$s_user$

| eval RESPTI = round(RESPTI/1000,2), DBCALLTI=round(DBCALLTI/1000,2)
| timechart avg(RESPTI) as "Average_Execution_Time", avg(DBCALLTI) as "Average_DB_Time", max(RESPTI) AS "Max_Execution_Time", max(DBCALLTI) as "Max_DB_Time"
| eval Average_Execution_Time = round(Average_Execution_Time,2), Average_DB_Time=round(Average_DB_Time,2)
| eval Max_Execution_Time = round(Max_Execution_Time,2), Max_DB_Time = round(Max_DB_Time,2)
| search Average_Execution_Time !=""
| search Max_Execution_Time !=""

this is the search that i am working with, and in this way it is working fine. However i have to add a span to it. i have a dropdown menu that has the token $span$. when i try to use it also works fine. however what i have to do is use a span that is equal to the time range picker. the token from the timerange picker is $tok_range$, however if i try to use this as a span it will just tell me search is waiting for input. Is there a way to do this?

Labels (1)
Labels
0 Karma
Reply

nyc_jason
Splunk Employee
Splunk Employee
‎02-17-2023 07:17 AM

can you elaborate on the "what i have to do is use a span that is equal to the time range picker."? The picker will provide a earliest and latest for the entire search to look over, where the span is duration to take each avg over. So if you search all of yesterday, then a reasonable span might be 15min for example (meaning show the avg every 15min for all of yesterday). so having a span that is equal to the time range is simple taking a single avg over the entire time, which you'd do with stats instead of timechart.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...