Solved: aggregation over _time

damucka · ‎03-29-2019

Hello,

I have the following search:

index=mlbso sourcetype=BWP_hanatraces "long running cursor detected"  | sort - _time
| table _time CONNECTION_ID CONNECTION_STATUS IDLE_TIME HOST

It gives the following output:

I would like to create a variable that would correspond to max IDLE_TIME, so e.g. on the example above 26058. Then it would be good to have it in the h:mm format, meaning 1:16 (h:mm).

How would I achieve this?

Kind Regards,
Kamil

somesoni2 · ‎03-29-2019

Try this (Splunk generally give result in reverse chronological order, so you may not need that sort command)

index=mlbso sourcetype=BWP_hanatraces "long running cursor detected"  
 | table _time CONNECTION_ID CONNECTION_STATUS IDLE_TIME HOST
 | rex field=IDLE_TIME "(?<idletime>\d+) sec" 
 | eventstats max(idletime) as MAX_IDLE_TIME 
 | eval MAX_IDLE_TIME =tostring(MAX_IDLE_TIME ,"duration")

View solution in original post

somesoni2 · ‎03-29-2019

Try this (Splunk generally give result in reverse chronological order, so you may not need that sort command)

index=mlbso sourcetype=BWP_hanatraces "long running cursor detected"  
 | table _time CONNECTION_ID CONNECTION_STATUS IDLE_TIME HOST
 | rex field=IDLE_TIME "(?<idletime>\d+) sec" 
 | eventstats max(idletime) as MAX_IDLE_TIME 
 | eval MAX_IDLE_TIME =tostring(MAX_IDLE_TIME ,"duration")

aggregation over _time

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms