Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return search results for a field with a duration greater than 0 for each month?

ttudor
Explorer
‎02-02-2015 01:30 PM

I have the following fields stu_id, duration, and date_month. I want to do a search to display all sru_id's that have a duration greater than 0 in every one of the following months: Sept, Oct, Nov, Dec and Jan. I can get as far as returning stu_id's with duration greater than 0, but I cannot figure out how to trim those results to only include stu_id's where they had duration greater than 0 for every month listed above.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-02-2015 02:05 PM

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months. 

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-02-2015 02:05 PM

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months. 

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0
Reply
Solved! Jump to solution

ttudor
Explorer
‎02-04-2015 11:05 AM

Thank, this worked.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-02-2015 01:57 PM

Try this

index=yourIndex sourcetype=yourSourcetype duration>0 (date_month="septempber" OR date_month="october" OR date_month="november" OR date_month="december" OR date_month="january") | table sru_id duration date_month
0 Karma
Reply
Solved! Jump to solution

ttudor
Explorer
‎02-02-2015 02:05 PM

Thanks. I tried that I do not need and OR, I need AND. The stu_ids must have been used in all of the months, not september OR october.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...