×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mlg
Observer
Member since: ‎10-07-2021
‎10-07-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-07-2021
View All

Average a series of future times against current t...

by in Splunk Search
‎10-08-2021 01:56 AM
‎10-08-2021 01:56 AM
Hi, I am new to Splunk and working with parking records. I am calculating the current wait_time based off upcoming parking expiry times. Within my monitored data each record has the following fields: arrival_time, the time data was created, which is when the car parked permit_expiry, which is a couple of hours after the creation time parking_space, which is a number between 1 and 99, that doesn't repeat until the permit_expiry has passed. I have the steps I wish to use to display this, but am unsure how to construct a query to achieve the result.  Check how many parking_space are curently in use (which should be a number between 0 & 99): sourcetype="parking_log"  | where permit_expiry > now() | stats count by parking_space Find the next 5 earliest upcoming permit_expiry times and minus them from the current time. | where permit_expiry > now() limit=5 | for each permit_expiry: num_minutes=permit_expiry-arrival_time If the number of used parking_space is less than 99, for each parking_space that is free (98,97,96) replace the latest permit_expiry time with 0. if the count(parking_space) is less than 94 than all 5 numbers between 0 display the average of the five numbers (which may include both 0s and the calcluated num_minutes. Many thanks! ... View more
Labels

Searching for times being reached within the hour

by in Splunk Search
‎10-08-2021 01:11 AM
‎10-08-2021 01:11 AM
Hi, I am new to Splunk and working with parking records. Within my events, I have a permit_expiry field, which is a date and time a few or so hours after the initial data timestamp. How do I display the number of permit_expiry which are occurring within the hour. I understand there is the now() function which holds the current time, but am unsure how to utilise it. My draft search is below, but I know there is something missing within the "now() + 1 hour". sourcetype="parking_log" | where permit_expiry < now() + 1 hour | stats count by permit_expiry Many thanks! ... View more
Labels

Displaying data that is missing from a lookup tabl...

by in Splunk Search
‎10-08-2021 12:30 AM
‎10-08-2021 12:30 AM
Hi, I am new to Splunk and working with parking records. I am trying to display parking spaces that are currently not in use.   Within my monitored data each record has the following fields: the time data was created, which is when the car parked permit_expiry, which is a couple of hours after the creation time parking_space, which is a number between 1 and 99, that doesn't repeat until the permit_expiry has passed. I also have a separate lookup table/csv file called parking_lots of all parking_space (1-99), and their respective parking_lot.   This is what I have come up with so far: sourcetype="parking_log" | where now() < expiry_time | lookup parking_lots parking_space | *display parking_space that don't appear in the above search (1-99)* I am struggling to understand how to display the parking spaces, as well as use of the now() function. Many thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-07-2021 09:56 PM