Splunk Search

## Search multiple values from a single event where one value might be less than 800?

Explorer

I have the following criteria from a single event that appears like:

Time Event
11/4/22
4:10:28.000 AM
{ [-]
Total: 6656
srv110: 1002
srv111: 1105
srv112: 1007
srv113: 995
srv114: 1269
srv115: 1278
}

<My Query>| timechart span=1m values(srv*) will return the values as so:

 _time values(srv110) values(srv111) values(srv112) values(srv113) values(srv114) values(srv115) 11/4/2022 4:04 1003 1105 1007 996 1268 1278

But I need to return all of them as so even if any one of those values falls under 800 but also greater than -1.

I attempted to transpose and search from there but I'm failing somewhere.

Any help or nudge in the right direction would be greatly appreciated.  Thank you!

Labels (1)
• ### timechart

1 Solution
SplunkTrust

Can you please try this?

``````YOUR_SEARCH
| bin span=1m _time
| stats values(srv*) as srv* by _time
| eval flag = 0
| foreach srv*
[ eval flag = if(flag == 0 AND <<FIELD>><800 AND <<FIELD>> > -1, 1 , flag)
]
| where flag=1
| fields - flag, srvTotal``````

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Explorer

{"srv110": 1001, "srv111": 1104, "srvTotal": 6651, "srv112": 1006, "time": "2022-11-04T08:47:02Z", "srv113": 995, "srv114": 1268, "srv115": 1277}

SplunkTrust

Can you please share _raw from the sample event?

``index=YOUR_INDEX | table _raw``

