Solved: Re: eval and "|search" question

cpeteman · ‎08-08-2013

So I have a search that runs over a 4h time span that Only gives results when the number of event of one kind are as manhy as or more than the number of hours. I want to be able to run over any timespan:

    search terms earliest=-4h latest=now() | ... |  stats count by _raw,TimeInHour,punct| 
 addinfo| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > 3

the search should look for results that have a count equal to the number of hours I searched over but if I write

   search terms earliest=-4h latest=now() | ... |  stats count by _raw,TimeInHour,punct  |addinfo
| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > hours-1

I get no results. Are count and hours not something I can compare, how do I change that?

davecroto · ‎08-08-2013

rename count "AS" something else and then use that something else to compare.

...|stats count AS foobar by _time |where foobar>25

View solution in original post

davecroto · ‎08-08-2013

rename count "AS" something else and then use that something else to compare.

...|stats count AS foobar by _time |where foobar>25

cpeteman · ‎08-08-2013

changing search to where was all it took. Thanks!

emechler_splunk · ‎08-08-2013

It depends on how you're getting 'count'... Maybe this search will work for you?

search terms earliest=-4h | eventstats count | addinfo | eval hours = round((info_max_time - info_min_time)/3600,0) | where count > hours

cpeteman · ‎08-08-2013

no it's from a stats pipe I''l add that part of the search.

linu1988 · ‎08-08-2013

Is count a field in the event?

and why do u use search count > hours-1? why not where count > hours-1. And rather than round could you use "floor"?

eval and "|search" question

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...