movesqert.blogg.se

14 September 2023 - 08:05
Splunk eval string
Allmänt
Splunk eval string






splunk eval string

| where tonumber(strftime(_time, "%H")) >= 14 AND tonumber(strftime(_time, "%H")) = 14 AND date_hour rex "(?.*)" | timechart span=120m aligntime=earliest count(eval(searchmatch("sent"))) as HotCount by TestMQ I think this filtering needs to done on "date_hour" rather than using "_time". I tried the suggested options on small part of query and found that it is not doing the search on the Event time, rather checking the Splunk time. date_hour>=14 AND date_hour= "14:00:00" AND strftime(_time, "%H:%M:%S") = 14 AND date_hour <= you for kind response and support! | transpose 0 column_name=Name header_field=DayĪlso tried with below approach, none of them working for the time range - I am getting the same old result.ġ. | timechart span=120m aligntime=earliest count(eval(searchmatch("sent"))) as HotCountToday by TestMQ I have tried with below 3 different options but it doesn't work, no change in the output results.Ĭan you please suggest if anything missed date_hour>=2 AND date_hour*)" May I ask a follow up question please? In case I want to get this result for a specific time range only (for all 30 days) and based on that MaxTPS calculation should work only for the specified time range. Only that part is changed, because I was not sure about the query and expected output.Ĭan you please help further suggest on this changes?Īnd so Thank you so much Sir, this works as expected!

splunk eval string

So instead of using | eval Name="TestMQ" I wanted to use this as group by TestMQ | chart useother=f values(Variance_TPS_Today) as variance by TestMQ DateĪnd so for the confusion! Please allow me to clarify it again. MaxTPS_p7 < MaxTPS, round(((MaxTPS - MaxTPS_p7) / MaxTPS) * 100,2), | timechart span=120m count(eval(searchmatch("sent"))) as HotCountToday Please suggest, how this can be modified further to achieve the below expected output results. Yes, you understood my requirement correctly - " I want the variance of the MaxTPS for each day compared to the MaxTPS 7 days prior" I tried your suggested approach, but the query is not giving any output.








Splunk eval string
0 kommentar(er)
Om Mig: