Splunk Search

Why am I unable to use comparison operators "greater than or equal to" with a timechart?

kris99
New Member

unable to use where >= with timechart

timechart max(value) AS la by User | eval la=round(la,2) | where la >=10
0 Karma

somesoni2
SplunkTrust
SplunkTrust

If the span for your timechart is fixed (not using splunk default ) then try this

your base search | bucket span=<<yourSpan>> _time | stats max(value) as la by _time user | eval la=round(la,2) | where la >=10 | xyseries _time user la

OR

your base search | bucket span=<<yourSpan>> _time | stats max(value) as la by _time user | eval la=round(la,2) | where la >=10 | timechart span=<<yourSpan>> max(la) by user
0 Karma

kris99
New Member

thank you for your response. This is close however.. I have a table which calculates the avg as below.

stats avg(value) AS la BY host User |  eval la=round(la,2) | where la >=0 

Also as suggested by you i want to display timechart. Tried below but i see entries from below search but not from the table above. Is it because its _time ? (i.e if i see 10 users from timechart, i see only one from the previous table. both need to match)

stats avg(value) as la by _time host User | eval la=round(la,2) | where la >=0 | timechart avg(la) by User
0 Karma

yuanliu
SplunkTrust
SplunkTrust

As @jrodman said, timechart by User does not give you a field named la but fields named after each User. The "as" clause is used for legend only. I think what you wanted is to find

  1. Maximum value of each User;
  2. Round the maximum value to the 2nd decimal place;
  3. For those users whose maximum value in a given time span is greater than or equal to 10 and only for those, display users and their respective maximum values.
    Note the above also imply two logical consequences:

  4. Users whose maximum value has never reached 10 in the entire search period will never be shown.

  5. For users appearing on the chart, their results will show 0 in spans of time in which their maxima don't reach 10.

The logic can be reversed to produce the exact same output, i.e., by limiting timechart only to those users who ever showed a value or values reaching or exceeding 10.

| where value >= 10 | timechart max(value) as la by User | eval la=round(la,2)

Because you are seeking maxima and not average, where you perform rounding doesn't affect the outcome. In other words, you can do

| where value >= 10 | eval value=round(value,2) | timechart max(value) as la by User

to get the same results although the first form is more efficient.

0 Karma

jrodman
Splunk Employee
Splunk Employee

When you say max(value) as la by User, you get the values as the value of 'User', not as 'la'. If you have multiple fields, like |timechart max(value) as mv, avg(value) as av by user then you get the values as fields called things like mv:user1 and av:user1.

Effectively a single timechart aggterm as name by field is not a meaningful 'as' scenario, since you would want the data plotted by the field values, and we express the data as a single xyseries. You can say |where user1 >=10. I'm not sure how to construct the implied goal, but suspect it involves bringing the eval expression into the timechart.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...