Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search on aggregation

sanjeev
Explorer
‎08-13-2020 02:45 PM

These are two question that that i need to solve.

Memory loss by time *since boot* aggregated across entire population.

Memory loss by wall clock time aggregated across entire population. 

 

 

base query

(index=metrics OR index=hc_trials OR index=hc_prod) uptime>1800 (HCTELEM OR HCJUNK)
| fields + payload version deviceid
| eval payload=replace(payload, "\"\"", "\"")
| spath input=payload output=Mem1 path=Mem{1}

 

Please help me to solve this.

TIA

0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...