Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Total Time in D:M:H:S- using appendpipe instead o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to somehow get a total sum of the "Total Time" column and have it be on a separate line rather the next line because it adds totals of anything with a number. I found appendpipe to go to the next line.
Search string:
index="rdpg"
( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" max(dest_ip) as "Destin ip" by Ephemeral
| eval Seconds=Disconnect-Connect | fieldformat Seconds=strftime('Seconds', "%s") | eval "Total Time"=tostring(Seconds,"duration") | where Seconds > 300
| search Connect=* Disconnect=* | appendpipe [stats sum(Seconds) as "Total Seconds" ]
| convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect)
See results -=HERE=-
ALSO: If I have a dashboard and I can get this total time thing working... can I somehow have a "button" that displays the total time based on a timeframe I specify?
Here is my Dashboard and the "button" I'd like Example --The Red things 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
change :
appendpipe [stats sum(Seconds) as "Total Seconds" ]
to :
appendpipe [stats sum(Seconds) as tseconds | eval tseconds=tostring(tseconds,"duration") | rename tseconds as "Total Time" ]
For the button stuff - how well do you know Advanced XML ?
What you'd normally do Is something like this :
HiddenSearch (not including the appendpipe )
|-SimpleResultsTable
|-PostProcess (just add | stats sum(Seconds) as tseconds etc etc )
|-SingleValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
change :
appendpipe [stats sum(Seconds) as "Total Seconds" ]
to :
appendpipe [stats sum(Seconds) as tseconds | eval tseconds=tostring(tseconds,"duration") | rename tseconds as "Total Time" ]
For the button stuff - how well do you know Advanced XML ?
What you'd normally do Is something like this :
HiddenSearch (not including the appendpipe )
|-SimpleResultsTable
|-PostProcess (just add | stats sum(Seconds) as tseconds etc etc )
|-SingleValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem - just a point of interest, buttons dont look like that in splunk 5 any more, thats a splunk 4 screenshot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Appendpipe fix worked! I will let you know about the XML after implement it 🙂 -YOU DA MANG!
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
