cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
pgates
Explorer
Member since: ‎04-14-2020
‎04-13-2024
Community Statistics
Posts 7
Solutions 0
Karma Given 16
Karma Received 0
Member Since ‎04-14-2020
Activity Feed
View All

Re: Dashboard - Check Results Against Fixed List

by in Dashboards & Visualizations
‎04-12-2024 10:53 AM
‎04-12-2024 10:53 AM
Sorry - learning a few things as I go here. Basically, I just need to compare the results of a search to a static known list of values. The search will return a list of values using stats. stats values(actualResults) as actualResults I guess I'm not 100% clear on what to do first to create the static list using makeresults, and then to append/use stats to combine - I have attempted to do so without getting the results I expect. If I were to put it in SQL terms, I'd have a reference table of known values ("My Item 1", "My Item 2", etc.) and a results table of data to search, and I'd do a left outer join: Ref Table: MY_REF_TABLE KNOWN_ITEM My Item 1 My Item 2 My Item 3 My Item 4   Results Table: MY_RESULTS_TABLE RESULT_ITEM My Item 1 My Item 3   Query: select KNOWN_ITEM, case when result_item is null then 'No Match' else 'Match' end HasMatch from MY_REF_TABLE left join MY_RESULTS_TABLE on KNOWN_ITEM= RESULT_ITEM Results: KNOWN_ITEM HASMATCH My Item 1 Match My Item 2 No Match My Item 3 Match My Item 4 No Match ... View more

Re: Calculating Duration of Extracted Fields

by SplunkTrust in Splunk Search
‎10-14-2023 03:06 AM
1 Karma
‎10-14-2023 03:06 AM
1 Karma
I have a strong suspicion that your mock output is misleading.  The correct mock output most likely look like this instead: MyStartTime MyEndTime MyStartUnix MyEndUnix diff 2023-10-10T14:48:39 2023-10-10T14:57:50 2023-10-10T14:15:15 2023-10-10T13:56:53 1696974519.000000 1696975070.000000 1696972515.000000 1696971413.000000     In other words, instead of the two start and end pairs in two rows, they are in the same row for a given value of AnotherField which you didn't show. This is because you use list function by AnotherField.  Very likely there are more than one start-end pairs per AnotherField.  These multivalued fields cannot be used in arithmetic operations directly.  Before I describe a method to handle multivalue fields, let me first get some clarifications. Is it really important to use list function?  Are there overlapping MyStartTime, overlapping MyEndTime, or overlapping intervals that magically end up in the correct sequence?  If not, using values is a lot cheaper and you won't be subject to memory limitations. (Because we are looking at ISO timestamps, values with order them correctly.) Is it really important to calculate diff after stats?  If you are listing/tallying values of every start-end pair, it is actually cheaper to calculate diff before stats. (If MyStartTime and MyEndTime don't appear in the same event, of course, you don't have a choice.) I cannot see real importance of listing MyStartUnix and MyEndUnix in final results, so the following will simply ignore them. With these caveats, you can use mvmap to handle multivalued field after stats.  In the following, I assume that each start is paired with an end.   MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval idx = mvrange(0, mvcount(MyStartTime)) | eval diff=mvmap(idx, strptime(mvindex(MyEndTime, idx), "%Y-%m-%dT%H:%M:%S")-strptime(mvindex(MyStartTime, idx), "%Y-%m-%dT%H:%M:%S")) | fields - idx   This will give you AnotherField MyStartTime MyEndTime diff another 2023-10-10T14:48:39 2023-10-10T14:57:50 2023-10-10T14:15:15 2023-10-10T13:56:53 -2004.000000 -3657.000000 (Your samples have ends before starts, hence negative diffs.)   ... View more

Re: How to create dynamic label based on time inpu...

by in Dashboards & Visualizations
‎02-06-2023 06:14 AM
‎02-06-2023 06:14 AM
Awesome - was unaware of addinfo. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-13-2024 01:48 AM
Karma given to