Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Losing duration in milliseconds when I add file size data...

juriggs
Path Finder
‎01-16-2014 10:53 AM

Hi,

I have to calculate duration in milliseconds which is working, but when I add file size data to the query, the duration goes to 0. Can anyone provide any guidance as to what's happening and how to resolve it?

Here's the query that works:

FILE="*" | stats range(timestamp) as durationms by FILE | eval duration=durationms/1000

but if I run this:

FILE="*" | stats range(timestamp) as durationms by FILE, FileSize | eval duration=durationms/1000

then duration and durationms go to 0.

Thanks in advance!

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎01-16-2014 04:40 PM

for the doc :
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonStatsFunctions

range(X) This function returns the difference between the max and min values of the field X ONLY IF the value of X are numeric. chart, stats, timechart, sparkline()

Maybe a rounding issue, or a missing value.

To verify that your values are actually not null, not identical, or not missing, please try :

FILE="*" | stats values(timestamp) min(timestamp) AS mintimestamp max(timestamp) AS maxtimestamp range(timestamp) as durationms by FILE, FileSize
| eval manualrange=maxtimestamp=mintimestamp
| eval duration=durationms/1000
| eval manualduration=manualrange/1000
| eval manualduration_round=round(manualrange/1000,10000000000)

0 Karma
Reply

somesoni2
Revered Legend
‎01-16-2014 02:34 PM

In second search, if you run it without eval stuff, does the durationms shows zero?

0 Karma
Reply

juriggs
Path Finder
‎01-16-2014 12:11 PM

Yeah, I've done that. I have results UNTIL I add FileSize into the query. Does it have to do with the range function? The FileSize field is only in one of the events returned... if I change FILE to a specific file and add fields (like User) that are in both the events, everything works fine.

Thanks for your help...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2014 11:52 AM

Have you tried replacing the eval with 'table FILE durationms' to make sure you have results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...