Solved: Report only values of a calculated field whose val...

SteffHH · ‎10-21-2020

Hello,
what must I do to report only values of diff_min greater than e.g. 1

Sorry, it's my first dashboard.
Thank you 🙂

Steff

gcusello · ‎10-21-2020

Hi @SteffHH.,

if this answer solves your needs, please, accept it or tell me how I can help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

gcusello · ‎10-21-2020

Hi @SteffHH,

I think that you could try the Splunk Search Tutorial, To understand how to build a search https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchTutorial/WelcometotheSearchTutorial

Anyway, you have to:

at first identify the container of your logs: e.g. index=your_index,
then dentify the events to use: e.g. action=start and action=end,
then identify a key to group data. e.g. events of an host or an user,
then build the variables you did: eval ...,
at least group all the values By the key you choose: stats ...,
and display results: table ....

having something like this:

index=your_index (action=start or action=end)
| stats earliest(_time) AS startTime latest(_time) AS endTime BY user
| eval 
     diff_min=(endTime-startTime)/60,
     startTime=strftime(startTime,"%Y-%m-%d %H:%M:%S.%3Q"),
     endTime=strftime(endTime,"%Y-%m-%d %H:%M:%S.%3Q")
| table user diff_min startTime endTime
| sort -diff_min

Ciao.

Giuseppe

SteffHH · ‎10-21-2020

Thx @gcusello for your help 😃

gcusello · ‎10-21-2020

Hi @SteffHH.,

if this answer solves your needs, please, accept it or tell me how I can help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Report only values of a calculated field whose value is greater than 1

saved search

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!