Splunk Search

How to only show stats max(value) where min(value) is greater than 0 in the last 5 minutes?

chriselst
Engager

Hi all, just getting started and trying to get something together quickly to show management so forgive asking what is probably a trivial question.

I have a log file which is written to each minute with a count of messages in a number of queues. I have a chart showing those queues with a none zero count over the last five minutes.

source=".log" id="queue.*" value>0 | stats max(value) by id

I want it to only display queues where the count has not been zero in the previous five minutes as I only care about queues that are not emptying.

I have tried things along the lines of

source=".log" id="queue.*" value>0 | stats max(value) by id | where min(value) > 0

But cannot get it right, can someone point me in the right direction please.

Tags (4)
0 Karma
1 Solution

vganjare
Builder

HI,

Following query should help:

source=".log" id="queue.*"  | stats max(value) as MAX, min(value) as MIN by id | where MIN  > 0

Thanks!!

View solution in original post

vganjare
Builder

HI,

Following query should help:

source=".log" id="queue.*"  | stats max(value) as MAX, min(value) as MIN by id | where MIN  > 0

Thanks!!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...