Splunk Search

How to return search results for a field with a duration greater than 0 for each month?

ttudor
Explorer

I have the following fields stu_id, duration, and date_month. I want to do a search to display all sru_id's that have a duration greater than 0 in every one of the following months: Sept, Oct, Nov, Dec and Jan. I can get as far as returning stu_id's with duration greater than 0, but I cannot figure out how to trim those results to only include stu_id's where they had duration greater than 0 for every month listed above.

Any ideas?

1 Solution

sideview
SplunkTrust
SplunkTrust

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months.

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0

View solution in original post

sideview
SplunkTrust
SplunkTrust

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months.

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0

ttudor
Explorer

Thank, this worked.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index=yourIndex sourcetype=yourSourcetype duration>0 (date_month="septempber" OR date_month="october" OR date_month="november" OR date_month="december" OR date_month="january") | table sru_id duration date_month
0 Karma

ttudor
Explorer

Thanks. I tried that I do not need and OR, I need AND. The stu_ids must have been used in all of the months, not september OR october.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...