Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return search results for a field with a duration greater than 0 for each month?

ttudor
Explorer
‎02-02-2015 01:30 PM

I have the following fields stu_id, duration, and date_month. I want to do a search to display all sru_id's that have a duration greater than 0 in every one of the following months: Sept, Oct, Nov, Dec and Jan. I can get as far as returning stu_id's with duration greater than 0, but I cannot figure out how to trim those results to only include stu_id's where they had duration greater than 0 for every month listed above.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-02-2015 02:05 PM

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months. 

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-02-2015 02:05 PM

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months. 

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0
Reply
Solved! Jump to solution

ttudor
Explorer
‎02-04-2015 11:05 AM

Thank, this worked.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-02-2015 01:57 PM

Try this

index=yourIndex sourcetype=yourSourcetype duration>0 (date_month="septempber" OR date_month="october" OR date_month="november" OR date_month="december" OR date_month="january") | table sru_id duration date_month
0 Karma
Reply
Solved! Jump to solution

ttudor
Explorer
‎02-02-2015 02:05 PM

Thanks. I tried that I do not need and OR, I need AND. The stu_ids must have been used in all of the months, not september OR october.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...