cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Goldenfit
Explorer
Member since: ‎05-16-2023
‎06-28-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-16-2023
Activity Feed
View All

Finding a number of outliers that repeteadly occur...

by in Splunk Search
‎06-28-2023 01:01 PM
‎06-28-2023 01:01 PM
So I have this query that creates and incident if there is 7 outlier  in the last 15 minutes: | streamstats time_window=15m current=true reset_after=(propOutlier=7) sum(isOutlier) as propOutlier by InterfaceName | eval isIncident = if(propOutlier=7, 1, 0 ) | eventstats max(isIncident) as hasIncident by InterfaceName | where hasIncident=1 Now i would like the add to  "isIncident" the situation where there has been 5 outliers, repeteadly, in the last 3 time window of 15 minutes.  If there has been 5 outliers in the last 15min window, I do not care. But if this happens 3 times in a row, it is a problem for me.  Can anyone help?  Thank you ... View more
Labels

Re: Timechart with join

by SplunkTrust in Splunk Search
‎06-02-2023 10:03 AM
‎06-02-2023 10:03 AM
Hi @Goldenfit, timechart command works only if you have the _time fields. But you haven't this field. You could use the stats command using CURRENT_TIMESTAMP as grouping BY option. In addition, join is a command to use only when you haven't any other solution and having few events, otherwise it's a very slow command; I hint to you to re-design your search using stats. Ciao. Giuseppe   ... View more

Re: using token with a field created using "eval"

by SplunkTrust in Splunk Search
‎05-30-2023 08:57 AM
1 Karma
‎05-30-2023 08:57 AM
1 Karma
The where command returns no results because there is no message_id field in the data.  The field was stripped out by the stats command.  Perhaps moving where before stats will give you the results you seek. ... View more

Re: Using token with a field created with "eval"?

by in Splunk Search
‎05-17-2023 06:12 AM
‎05-17-2023 06:12 AM
So basically i have another panel  my goal is that when I click on one of the message_id displayed in the chart above, my first query in the original post udates it to display TEXT and USER with this particular message_id   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-28-2023 05:20 PM
Karma given to
View All