Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About zacksoft
zacksoft
Contributor
Member since:
09-13-2017
06-11-2021
Community Statistics
| Posts | 336 |
| Solutions | 0 |
| Karma Given | 47 |
| Karma Received | 5 |
| Member Since | 09-13-2017 |
Activity Feed
- Karma Re: Where is the Location of knoweldge objects in the Backened? for richgalloway. 04-07-2021 10:45 AM
- Posted Where is the Location of knoweldge objects in the Backened? on Knowledge Management. 04-07-2021 08:43 AM
- Posted Subsearch append question !! on Splunk Enterprise. 11-18-2020 04:11 AM
- Posted How to I save my search query output as a lookup ? on Splunk Enterprise. 10-08-2020 04:11 AM
- Posted Re: How do I get search start time and end time value ? on Splunk Search. 09-24-2020 09:32 AM
- Posted Re: How do I get search start time and end time value ? on Splunk Search. 09-24-2020 08:58 AM
- Posted How do I get search start time and end time value ? on Splunk Search. 09-24-2020 01:10 AM
- Posted Re: How to transpose a table? (without using Transpose command) on Splunk Search. 09-09-2020 07:50 AM
- Posted How to transpose a table? (without using Transpose command) on Splunk Search. 09-09-2020 06:31 AM
- Posted Re: What is the permissible field value length ? on Splunk Search. 09-01-2020 07:03 AM
- Posted What is the permissible field value length ? on Splunk Search. 09-01-2020 06:36 AM
- Posted Re: How to match for a condition for main menu ? on Dashboards & Visualizations. 08-28-2020 04:11 AM
- Karma Re: How to match for a condition for main menu ? for richgalloway. 08-27-2020 07:19 PM
- Posted How to match for a condition for main menu ? on Dashboards & Visualizations. 08-27-2020 08:52 AM
- Posted Re: How to create an overview/menu dashboard? on Dashboards & Visualizations. 08-27-2020 04:59 AM
- Posted Re: How to create an overview/menu dashboard? on Dashboards & Visualizations. 08-27-2020 04:56 AM
- Posted Re: How to refer to a column value ? on Dashboards & Visualizations. 08-14-2020 06:31 AM
- Posted Re: How to refer to a column value ? on Dashboards & Visualizations. 08-14-2020 06:28 AM
- Karma How do you highlight a table cell based on a field of the search result? for florianduhme. 08-14-2020 05:50 AM
- Posted How to refer to a column value ? on Dashboards & Visualizations. 08-14-2020 05:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-07-2018
02:21 AM
It indeed helped. Happily Accepted and upvoted .
... View more
02-07-2018
02:01 AM
at any moment 'mytime' and 'x' are never equal. There is always a gap of few seconds. x is always ahead of few seconds
So I did like | eval x = now() -5 and then it gave me some values .
Thanks @FrankVI for your assistance.
... View more
02-07-2018
01:35 AM
_time = 2018-02-07 04:33:46.160
x = 1517996006
mytime = 1517996026.160
sum = 4620.3
... View more
02-07-2018
01:09 AM
sorry for the confusion.
What I'm looking is ,
a) The value of field 'sum' when the time is now().
b) And the value of field 'sum' when the time is 45 seconds before now().
'sum' field has different values and is continious on a time line.
And I'm trying to know it's value at a specific time.
... View more
02-07-2018
12:58 AM
Can I perform math functions like add/subtract to the time field after using
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") ?
example new_time = time +39s ??
... View more
02-07-2018
12:51 AM
If it is internally represented at epoch time, then can math functions be applied to _time field directly ? i.e. new_time = _time + 30m ('new_time' is the time after 30 minutes) ..something like this ?
... View more
02-07-2018
12:48 AM
Hi Frank.
It wont work.
On a different point, what if eval x=now()-45
and I wanna know the value of 'sum' when x has has 45 seconds less value than epoch.
... View more
02-07-2018
12:36 AM
I want to convert my default _time field to UNIX/Epoch time and have it in a different field. This is how the Time field looks now.
2/7/18
3:35:10.531 AM
... View more
- Tags:
- splunk-enterprise
02-06-2018
11:54 PM
this didn't work. my num is basically a UNIX time that I'm fetching from now() function.
my comparison is like | x=now() |eval y =if(_time=x,sum,null())
If I convert my _time to UNIX time and then perform the comparison, would that work ?
... View more
02-06-2018
07:19 AM
Not sure if this can be achieved by eval command. A bit silly question indeed.
"I want to know the value of the field 'sum' when field 'num' equals 56.
And save the sum's value in a variable 'y'."
I tried to eval, it didn't do the job.
Could use some help here.
... View more
02-06-2018
05:15 AM
When I hover the mouse over a visualization(graph,trendline etc..) , It shows me time like this ,
2018-2-1T06:14:32.542-05:00
I don't understand the bold part !! The rest part is Date and Time (in hour and min) I think. Please correct me if I'm wrong.
... View more
01-29-2018
06:32 AM
It shows the first 1500 items..
and my trans_time values are not continiuos like (1, 2, 3, 4 ..3tc..) they are more like 1, 8, 4, 13, 19 ...)
I just need to make sure that I operate only on values from trans_time field whose value is less than 1500.
... View more
01-29-2018
06:04 AM
I have a list of values for trans_time field ranging from 0 to 45000 (not continious values).
I am performing some calculations on it such as average, summation etc...
I only want to perform my eval calculations on values from until 1500. I have sorted the trans_time field. How to set up the condition such as all the follow up evals will only be calculated from 0 to 1500. All the values above should just be excluded.
... View more
- Tags:
- splunk-enterprise
01-29-2018
05:24 AM
| eval _time=(round(strptime(time, "%Y-%m-%d %H:%M:%SZ")))
| eventstats median("Run_Time") as median p25("Run_Time") as p25 p75("Run_Time") as p75
| eval IQR=(p75-p25)
| eval lowerBound=(median-IQR)
| eval upperBound=(median+IQR*20)
| eval isOutlier=if('Run_Time' < lowerBound OR 'Run_Time' > upperBound, 1, 0)
| fields "_time", "symbol", "sourcetype", "time", "Run_Time", "lowerBound", "upperBound", "isOutlier"
| table _time, symbol, sourcetype, time, Run_Time, lowerBound, upperBound, isOutlier
| sort -isOutlier
... View more
01-29-2018
05:23 AM
This is using IQR.
| eval _time=(round(strptime(time, "%Y-%m-%d %H:%M:%SZ")))
| eventstats median("Run_Time") as median p25("Run_Time") as p25 p75("Run_Time") as p75
| eval IQR=(p75-p25)
| eval lowerBound=(median-IQR)
| eval upperBound=(median+IQR*20)
| eval isOutlier=if('Run_Time' < lowerBound OR 'Run_Time' > upperBound, 1, 0)
| fields "_time", "symbol", "sourcetype", "time", "Run_Time", "lowerBound", "upperBound", "isOutlier"
| table _time, symbol, sourcetype, time, Run_Time, lowerBound, upperBound, isOutlier
| sort -isOutlier
... View more
01-24-2018
07:09 AM
Adding |sort 0 - helped. But in statistics tab it still shows as 10,000 entries.
Is this something to do with IQR approach ?
While I attempted the "lower and upper boundaries of an acceptable range to identify outliers" , there also it was 10,000 values !!!
... View more
01-24-2018
04:26 AM
1 Karma
I'm trying to find outlier using IQR method suggested by Splunk. I wonder why the statistics only shows 10,000 results !
https://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Findingandremovingoutliers
... View more
- Tags:
- splunk-enterprise
01-17-2018
02:53 AM
1 Karma
I can't comprehend what 'eventstats' is. I went thru the splunk docs. I wanna use math functions like avg.. etc.. not sure whether to use stats avg or eventstats avg !! An example would be appreciated .
Thank you.
... View more
- Tags:
- splunk-enterprise
Labels
- Labels:
-
stats
01-15-2018
06:37 AM
By 'table cell' I meant multiple values were in One row. And makemv as you specified splits it into multiple cell. I guess I understand your point now. Thank you.
... View more
01-15-2018
06:15 AM
speaking about eval trans_time="" 1 2 3 4 5" ; In my case I have an entire cell of a table with 20 to 30 values. So manually defining is difficult. Can we not specify it to read from a table cell ?
... View more
01-15-2018
05:54 AM
stats dc(trans_time) .
Does the above command give distinct counts only ? But I have duplicates and I want them to count as well , then how to proceed ? e.g. in Host2 the count is 5, despite having two 3s and two 4s.
... View more
01-15-2018
05:48 AM
Thanks it works. If I don't want to sum or average , just wanna count How many trans_time items are there in Host1 (i.e. in our example we have 5) . Can we do it ?
... View more
01-15-2018
05:04 AM
base search | stats values(trans_time) as TransTime by host | transpose
The output looks like this
Host1 Host2
5 3
6 3
2 1
3 4
4 4
The Bold are in One Row , And the Italics are all in another(one) row.
In row-1, I see the Hostnames, In row2's column1 all values(5,6,2,3,4) are present in one cell (not in separate rows) . Same with Host2's values. They are all put in one cell.
The idea is to perform arithmetic operation like adding all the trans_time of Host1 OR calculating the average tans_time of Host2 etc... But the eval/add total commands won't work !!!
... View more
- Tags:
- splunk-enterprise
01-12-2018
03:57 AM
I never thought it would be possible to do it without stopping the bad data from being indexed.
But your query seems like magic. And eliminates the need to wrestle with the Splunk admins to have us configure the indexer from indexing bad data. I'll try this and let you know. Thank you.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-11-2021
07:35 AM
|
Karma given to
