Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for values greater than 90 days?

willsy
Communicator
‎04-19-2023 01:05 AM

index=test sourcetype=csv source=prtg.csv host=prtg device=all "Down for"=*
| rename "Down for" AS Downtime
| eval "Downtime"=replace('Downtime',"d","")
| dedup _raw
| table Device, Downtime

Is there a way to only show any devices with a downtime greater than 90 in that table?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 03:10 AM

Hi @willsy,

let me understand do you have values like "54 d" or value in epochtime, or both?

if of the first type, you can use a regex like the following to extract days:

| rex "(?<downtime_days>\d*)\s+d"

if of the second type, you can use eval and divide for the number of seconds in a day:

| eval downtime_days=your_field/86400

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 01:39 AM

Hi @willsy,

which is the time format of Downtime?

define the threshold in the same time unit and then use the where command to make a filter, 

so e.g. Downtime is expressed in days, you can use 

| where Downtime>90

if it's expressed in seconds, you can use:

| where Downtime>7776000

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 02:25 AM

Also just to add,

When i add
| where Downtime>90

i get the error

Error in "where" command: Type checking failed. the '>' operator received different types

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 02:53 AM

Hi @willsy,

see what you have in the Downtime field, maybe there are different formats values: e.g. sometime 10, and sometimes 10d.

identify the different choices and extract the numers using a regex.

If you share some samples containing all the choices, I could help you.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 02:59 AM

@gcusellothank you for getting back to me so fast,

i have various formats of,

54 d
125 d
12 h 2 m
4 d 4 d 29 m

I do have a raw value for the time though that i can use, that is under epoch times.

"Down for_RAW"
0000000016415216
0000000000141890
0000000000067157

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 03:10 AM

Hi @willsy,

let me understand do you have values like "54 d" or value in epochtime, or both?

if of the first type, you can use a regex like the following to extract days:

| rex "(?<downtime_days>\d*)\s+d"

if of the second type, you can use eval and divide for the number of seconds in a day:

| eval downtime_days=your_field/86400

Ciao.

Giuseppe

Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 03:18 AM

Absolute scholar and a gent.

thank you so very much.

i used the
| eval downtime_days=Downtime/86400

seems super simle now i can see it but i couldnt get my head round it, thanks you so very much.

0 Karma
Reply
Solved! Jump to solution

willsy
Communicator
‎04-19-2023 02:22 AM

Hey @gcusello 

So thats what i originally had in my search however it only resulted in a single device with value of 96.

where as there are 9 devices with a higher than 90 value.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...