Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to filter based on hour and minute after using transpose?

abhi04
Communicator
‎02-11-2024 10:40 AM

Hi All,

I am using a mstats for a mteric and I am evaluating my hour and minute field something like below:

 

| mstats rate_avg(abc*) prestats=false WHERE "index"="def" span=3m
| rename rate_avg(* as *, *) as *
| eval Date=strftime(_time,"%m/%d/%Y")
| eval hour=strftime(_time,"%H")
| eval minute=strftime(_time,"%M")
| transpose column_name=instance
| rename "row 1" as MessagesRead
| eval MessagesRead=ROUND(MessagesRead,0)
| where MessagesRead < 1


Now I am unable to to use the below filter condition

| search NOT (instance="*xyz*" AND hour=09 AND (minute>=00 AND minute<=15))

 

 

as I dont want to alert for a particular instance only from 9 to 9:15, but it should alert for other instance for this time period.

 

Now before the transpose the instance does not exist and I cant use the filter and after transpose I am unable to filter on hour and minute.

 

Can u please help in filtering after transpose?

Labels (3)
0 Karma
Reply

tscroggins
Influencer
‎02-11-2024 01:38 PM

Hi @abhi04,

To filter with the where or search commands at the end of the pipeline, try the untable command instead of the transpose command:

 

| mstats rate_avg(abc*) as abc* where index=def span=3m
| untable _time instance MessagesRead
| eval MessagesRead=round(MessagesRead, 0)
| where ...

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...