×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
msyparker
Explorer
Member since: ‎01-15-2019
‎07-15-2021
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎01-15-2019
Activity Feed
View All

Re: How to filter time AFTER timechart using relat...

by in Splunk Search
‎07-15-2021 02:07 PM
‎07-15-2021 02:07 PM
Thank you ... View more

How to filter time AFTER timechart using relative ...

by in Splunk Search
‎07-15-2021 09:52 AM
‎07-15-2021 09:52 AM
Hello! I  have a search with timechart that I need to filter time AFTER the timechart based on the current time.   I've tried: search blablabla | timechart span=1m limit=0 eval(sum(SOM)/sum(VOL)) by VAR | where earliest=-3m@m latest=@m But got the error: Error in 'where' command: The operator at 'm@m latest=@m' is invalid. And: search blablabla | timechart span=1m limit=0 eval(sum(SOM)/sum(VOL)) by VAR | search earliest=-3m@m latest=@m But got no results.   Does anyone know how to to that? Thank you!   ... View more
Labels

How to create a bucket of number of events instead...

by in Splunk Search
‎04-01-2020 08:54 AM
‎04-01-2020 08:54 AM
Hello! 🙂 I'm tryng to get statistics of groups of 200 events. For instance, I have the following stats: |stats sum(CPU) avg(resptime) c as "total" sum(CPU)----------avg(resptime)----------total 1000-----------------0.00240------------------800 What I wanted to have is: sum(CPU)----------avg(resptime)----------total 120-------------------0.00125------------------200 300-------------------0.00124------------------200 480-------------------0.00122------------------200 100-------------------0.00122------------------200 OBS. I know how to create bins of time span, but what I need is to make buckets based on event quantity and NOT time. Thank you in advance! ... View more

Re: Alternatives to mvexpand mvzip to create a sum...

by in Knowledge Management
‎01-24-2019 07:14 AM
‎01-24-2019 07:14 AM
Thank you for your reply! ... View more

Alternatives to mvexpand mvzip to create a summary...

by in Knowledge Management
‎01-16-2019 09:20 AM
‎01-16-2019 09:20 AM
Greetings, I have a JSON with the format: bigfield: [ [-] { [-] field1: xxxx field2: true otherfields: wwww } { [-] field1: yyyyy field2: false otherfields: zzzz } ] and I need to create a summary index to give me the following: field1 field2 time xxxx true time yyyy false time (xxx must be with true and yyy must be with false) I'm currently using: | fields bigfield.field1 bigfield.field2 | foreach * [ eval field1=if('bigfield.field1'!="",'bigfield.field1', "NA"), field2=if('bigfield.field2'!="",'bigfield.field2', "NA")] | field1 field2 | eval zipped=mvzip(field1, field2, ";;") | mvexpand zipped | eval zipped = split(zipped, ";;") | foreach * [ eval field1 = mvindex(zipped, 0), field2=mvindex(zipped, 1)] | bin span=1m _time | stats count as "Total" by _time field1 field2 but mvzip and mvexpand consume too much and I get the results truncated: "[server] command.mvexpand: output will be truncated at ##### results due to excessive memory usage. " I can't change the threshold, so I was hoping there was a way to make the search less consuming. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-15-2021 11:30 AM
Karma given to
View All