×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lokival
Explorer
Member since: ‎08-20-2011
‎06-05-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 0
Karma Received 4
Member Since ‎08-20-2011
Activity Feed
View All

Re: Subtract Search results

by in Splunk Search
‎12-16-2011 08:05 AM
‎12-16-2011 08:05 AM
Thanks, eventually figured our the ideal setting was 20m ... View more

Re: How to eval results of two searches?

by in Splunk Search
‎12-16-2011 06:21 AM
‎12-16-2011 06:21 AM
Ahhhhhhh. Now I get it. Thanks much! ... View more

Re: How to eval results of two searches?

by in Splunk Search
‎12-16-2011 06:20 AM
‎12-16-2011 06:20 AM
Perfect, exactly what I was looking for. Thanks much! ... View more

Re: How to eval results of two searches?

by in Splunk Search
‎12-15-2011 12:53 PM
‎12-15-2011 12:53 PM
Tested your suggestion like so - search connect | eval lasthour = [ search connect earliest=-1h latest=now ] Returns this error - Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). ... View more

How to eval results of two searches?

by in Splunk Search
‎12-15-2011 09:05 AM
3 Karma
‎12-15-2011 09:05 AM
3 Karma
Using Splunk 4.2.3 build 105575 I have a search which I use to compare the current status of a system (1 hr window) to the status as at 1 week ago - connect earliest=-1w@h latest=-1w@h+1h | stats count as pw | append [ search connect earliest=-1h latest=now | stats count as cur] | eval diff = pw -cur I get the values for pw & cur just fine, I just can't seem to perform any calculations on them. Is there any way to have eval (or another command) operate on the results of the main search & the sub-search? Or is there a way to have one search cover multiple time ranges? ... View more

Transaction Command Broken when using non-default ...

by in Splunk Search
‎09-09-2011 08:26 AM
‎09-09-2011 08:26 AM
Good Day, New to splunk, using version 4.2.3 Imported some zipped log files into splunk. I can search them just fine, but the transaction command doesn't work as expected. Using the transaction command to find the duration of connections. The search being run is - index=myIndex | search * | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up" The results however are not accurate, I have results where the myId pulled for startswith is different from the myId field pulled for endswith. However, if I import the data into splunk's default index the above search works as expected. How can I fix this without re-importing all the logs into the default index? ... View more

Re: Subtract Search results

by in Splunk Search
‎08-26-2011 11:18 AM
‎08-26-2011 11:18 AM
Yes, the events have the id_number in common, but using the transaction command you describe returns 0 results. Oddly, playing with the maxspan value (10m / 30m / 45m) gives results? ... View more

Subtract Search results

by in Splunk Search
‎08-20-2011 08:07 PM
1 Karma
‎08-20-2011 08:07 PM
1 Karma
New to splunk - Using version 4.2.3, build 105575 I need to figure out how to subtract the time between two events so as to get a duration. My current search looks like this - id_numer | search "MsgNo=0" OR "Hang Up" Which gives me results like - 1 12/29/09 9:34:17.934 AM 12/29 09:34:17.934 2-11150042> Hang Up 2 12/29/09 9:29:51.043 AM 12/29 09:29:51.043 2-11150042> RCV: SessNo=111, MsgNo=0, NextExp=0 How do I subtract these two results so I can get the time answer to {time of first result) - (time of second result) = total time taken That is - 9:34:17.934 - 9:29:51.043 = ? Thanks, ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All