- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Missing data after I increase the numeric data...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings
I'm using the following query over 24hrs.
| initial search
| timechart useother=f span=1h avg(field1) by field2 where avg > 100
| fields - NULL
And I get results for that meet that criteria, but when I increase the numeric value from > 100 to > 400, I get zero results even though I should see at least one or two fields from "field2" populate. Any thoughts on what is causing my dilemma?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could do something like this
initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could do something like this
initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That will actually work for what I'm trying to accomplish, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try-
| timechart limit=0 span=1h avg(field1) AS avg by field2 | where avg > 200
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the suggestion but that doesn't seem to work either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pls accept the answer to close tracking.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pls change your search as below and re-test
initial search
| timechart useother=f span=1h avg(field1) AS avg by field2 where avg > 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the suggestion, but the data still disappears when I increase the numeric value to 200 even though there should be results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you see avg more than 200 when you run
initial search
| timechart useother=f span=1h avg(field1) AS avg by field2 | where avg > 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, nothing populates regardless of the numeric value when I pipe the where clause to its own line I'm afraid.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
