Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Missing data after I increase the numeric data in my where clause

cquinney
Communicator
‎02-26-2019 02:43 PM

Greetings

I'm using the following query over 24hrs.

| initial search
| timechart useother=f span=1h avg(field1) by field2 where avg > 100
| fields - NULL

And I get results for that meet that criteria, but when I increase the numeric value from > 100 to > 400, I get zero results even though I should see at least one or two fields from "field2" populate. Any thoughts on what is causing my dilemma?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎02-27-2019 09:18 AM

you could do something like this

initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎02-27-2019 09:18 AM

you could do something like this

initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 09:24 AM

That will actually work for what I'm trying to accomplish, thank you!

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-27-2019 09:03 AM

Try-

 | timechart limit=0 span=1h avg(field1) AS avg by field2  | where avg > 200
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 09:09 AM

Thank you for the suggestion but that doesn't seem to work either.

0 Karma
Reply
Solved! Jump to solution

lakshman239
SplunkTrust
SplunkTrust
‎02-27-2019 09:28 AM

pls accept the answer to close tracking.

0 Karma
Reply
Solved! Jump to solution

lakshman239
SplunkTrust
SplunkTrust
‎02-27-2019 08:20 AM

Pls change your search as below and re-test

 initial search
| timechart useother=f span=1h avg(field1) AS avg by field2 where avg > 100
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 08:36 AM

Thank you for the suggestion, but the data still disappears when I increase the numeric value to 200 even though there should be results.

0 Karma
Reply
Solved! Jump to solution

lakshman239
SplunkTrust
SplunkTrust
‎02-27-2019 08:41 AM

do you see avg more than 200 when you run 

  initial search
 | timechart useother=f span=1h avg(field1) AS avg by field2  | where avg > 100
0 Karma
Reply
Solved! Jump to solution

cquinney
Communicator
‎02-27-2019 08:45 AM

No, nothing populates regardless of the numeric value when I pipe the where clause to its own line I'm afraid.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...