Splunk Search

Why am I unable to use comparison operators "greater than or equal to" with a timechart?

New Member

unable to use where >= with timechart

timechart max(value) AS la by User | eval la=round(la,2) | where la >=10
0 Karma

Revered Legend

If the span for your timechart is fixed (not using splunk default ) then try this

your base search | bucket span=<<yourSpan>> _time | stats max(value) as la by _time user | eval la=round(la,2) | where la >=10 | xyseries _time user la


your base search | bucket span=<<yourSpan>> _time | stats max(value) as la by _time user | eval la=round(la,2) | where la >=10 | timechart span=<<yourSpan>> max(la) by user
0 Karma

New Member

thank you for your response. This is close however.. I have a table which calculates the avg as below.

stats avg(value) AS la BY host User |  eval la=round(la,2) | where la >=0 

Also as suggested by you i want to display timechart. Tried below but i see entries from below search but not from the table above. Is it because its _time ? (i.e if i see 10 users from timechart, i see only one from the previous table. both need to match)

stats avg(value) as la by _time host User | eval la=round(la,2) | where la >=0 | timechart avg(la) by User
0 Karma


As @jrodman said, timechart by User does not give you a field named la but fields named after each User. The "as" clause is used for legend only. I think what you wanted is to find

  1. Maximum value of each User;
  2. Round the maximum value to the 2nd decimal place;
  3. For those users whose maximum value in a given time span is greater than or equal to 10 and only for those, display users and their respective maximum values.
    Note the above also imply two logical consequences:

  4. Users whose maximum value has never reached 10 in the entire search period will never be shown.

  5. For users appearing on the chart, their results will show 0 in spans of time in which their maxima don't reach 10.

The logic can be reversed to produce the exact same output, i.e., by limiting timechart only to those users who ever showed a value or values reaching or exceeding 10.

| where value >= 10 | timechart max(value) as la by User | eval la=round(la,2)

Because you are seeking maxima and not average, where you perform rounding doesn't affect the outcome. In other words, you can do

| where value >= 10 | eval value=round(value,2) | timechart max(value) as la by User

to get the same results although the first form is more efficient.

0 Karma

Splunk Employee
Splunk Employee

When you say max(value) as la by User, you get the values as the value of 'User', not as 'la'. If you have multiple fields, like |timechart max(value) as mv, avg(value) as av by user then you get the values as fields called things like mv:user1 and av:user1.

Effectively a single timechart aggterm as name by field is not a meaningful 'as' scenario, since you would want the data plotted by the field values, and we express the data as a single xyseries. You can say |where user1 >=10. I'm not sure how to construct the implied goal, but suspect it involves bringing the eval expression into the timechart.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...