Splunk Search

Is there a way to use a span that is equal to the time range picker?

Stijn
Loves-to-Learn

source=PR1 sourcetype="sap:abap" EVENT_TYPE=STAD EVENT_SUBTYPE=MAIN TCODE="ZORF_BOX_CLOSING" SYUCOMM="SICH_T" ACCOUNT=$s_user$

| eval RESPTI = round(RESPTI/1000,2), DBCALLTI=round(DBCALLTI/1000,2)
| timechart avg(RESPTI) as "Average_Execution_Time", avg(DBCALLTI) as "Average_DB_Time", max(RESPTI) AS "Max_Execution_Time", max(DBCALLTI) as "Max_DB_Time"
| eval Average_Execution_Time = round(Average_Execution_Time,2), Average_DB_Time=round(Average_DB_Time,2)
| eval Max_Execution_Time = round(Max_Execution_Time,2), Max_DB_Time = round(Max_DB_Time,2)
| search Average_Execution_Time !=""
| search Max_Execution_Time !=""

this is the search that i am working with, and in this way it is working fine. However i have to add a span to it. i have a dropdown menu that has the token $span$. when i try to use it also works fine. however what i have to do is use a span that is equal to the time range picker. the token from the timerange picker is $tok_range$, however if i try to use this as a span it will just tell me search is waiting for input. Is there a way to do this?

Labels (1)
0 Karma

nyc_jason
Splunk Employee
Splunk Employee

can you elaborate on the "what i have to do is use a span that is equal to the time range picker."? The picker will provide a earliest and latest for the entire search to look over, where the span is duration to take each avg over. So if you search all of yesterday, then a reasonable span might be 15min for example (meaning show the avg every 15min for all of yesterday). so having a span that is equal to the time range is simple taking a single avg over the entire time, which you'd do with stats instead of timechart.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...