Splunk Search
Highlighted

why is addinfo not working in my search?

Explorer

I asked a few weeks ago how to get the total duration of my search timeframe and was told to use addinfo. Got it working out but when I made my search more complex by outer-joining to a subsearch it stopped working. I've tried putting the addinfo|eval total_time=... piece both before and after the subsearch and get no results. Here is the search:

index=nagios (srchost=blah* OR blech)|dedup srchost|addinfo|eval totaltime=infomaxtime-infomintime|join type=outer srchost overwrite=false [search index=nagios (srchost=blah* OR blech) HOST ALERT HARD NOT SERVICE* host=joe|sort _time, srchost|delta time AS duration p=1|streamstats current=f last(srchost) AS prevsrchost|where name="UP" AND srchost=prevsrchost|stats sum(duration) AS downtime by srchost|table srchost, downtime]|eval downtime=if(isnull(downtime),0,downtime)|eval percentup=(totaltime-downtime)/totaltime*100|table srchost, downtime, total_time, percentup

The outer join works, the downtime calc both in and after the subsearch works, but total_time doesn't work and thus percentup also returns nothing.

Thanks!

Tags (4)
0 Karma
Highlighted

Re: why is addinfo not working in my search?

Explorer

In the words of the great Gilda Radner "Never mind..." For testing purposes I had the search executing with a custom time range of a date to 'now', mostly because that's what it defaulted to and I was too lazy to change it. Apparently addinfo doesn't like 'now'. Once I changed it to a hard date of today's date at 00:00:00 it worked fine.

View solution in original post

0 Karma