Splunk Search

How to return search results for a field with a duration greater than 0 for each month?

ttudor
Explorer

I have the following fields stu_id, duration, and date_month. I want to do a search to display all sru_id's that have a duration greater than 0 in every one of the following months: Sept, Oct, Nov, Dec and Jan. I can get as far as returning stu_id's with duration greater than 0, but I cannot figure out how to trim those results to only include stu_id's where they had duration greater than 0 for every month listed above.

Any ideas?

1 Solution

sideview
SplunkTrust
SplunkTrust

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months.

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0

View solution in original post

sideview
SplunkTrust
SplunkTrust

Use chart command to get yourself rows that represent unique stu_id values, where the fields are stu_id, duration, and then the names of the months. Under each month is the total duration for that stu_id in that month. Then it's a simple search to filter those rows to the stu_id values that had durations greater than zero in all 5 months.

<your search> | chart sum(duration) as duration over stu_id by date_month | search september>0 october>0 november>0 december>0 january>0

ttudor
Explorer

Thank, this worked.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index=yourIndex sourcetype=yourSourcetype duration>0 (date_month="septempber" OR date_month="october" OR date_month="november" OR date_month="december" OR date_month="january") | table sru_id duration date_month
0 Karma

ttudor
Explorer

Thanks. I tried that I do not need and OR, I need AND. The stu_ids must have been used in all of the months, not september OR october.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...