Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Missing data after I increase the numeric data in my where clause

cquinney
Communicator
‎02-26-2019 02:43 PM

Greetings

I'm using the following query over 24hrs.

| initial search
| timechart useother=f span=1h avg(field1) by field2 where avg > 100
| fields - NULL

And I get results for that meet that criteria, but when I increase the numeric value from > 100 to > 400, I get zero results even though I should see at least one or two fields from "field2" populate. Any thoughts on what is causing my dilemma?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-27-2019 09:18 AM

you could do something like this

initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-27-2019 09:18 AM

you could do something like this

initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 09:24 AM

That will actually work for what I'm trying to accomplish, thank you!

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-27-2019 09:03 AM

Try-

 | timechart limit=0 span=1h avg(field1) AS avg by field2  | where avg > 200
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 09:09 AM

Thank you for the suggestion but that doesn't seem to work either.

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-27-2019 09:28 AM

pls accept the answer to close tracking.

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-27-2019 08:20 AM

Pls change your search as below and re-test

 initial search
| timechart useother=f span=1h avg(field1) AS avg by field2 where avg > 100
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 08:36 AM

Thank you for the suggestion, but the data still disappears when I increase the numeric value to 200 even though there should be results.

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-27-2019 08:41 AM

do you see avg more than 200 when you run 

  initial search
 | timechart useother=f span=1h avg(field1) AS avg by field2  | where avg > 100
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 08:45 AM

No, nothing populates regardless of the numeric value when I pipe the where clause to its own line I'm afraid.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...