I'm working on Juniper syslogs and trying to extract data using search below:
index=A sourcetype=B LSP_DOWN OR LSP_UP | transaction LSP startswith="LSP_DOWN" endswith="LSP_UP" maxspan=1mon | timechart span=1mon count avg(duration) AS AVG max(duration) AS MAX min(duration) AS MIN stdev(duration) AS STDEV | eval AVG=tostring(AVG, "duration"), MAX=tostring(MAX, "duration"), MIN=tostring(STDEV, "duration"), STDEV=tostring(STDEV, "duration")
The issue is some of the results being showed for MAX are more than 1 month, even though maxspan=1mon span=1mon are included in the search.
The maxspan argument to the transaction command may be part of the reason you're getting incorrect results. The documentation for the transaction command doesn't show months as being a valid time specifier for the maxspan argument.
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction
The maxspan argument to the transaction command may be part of the reason you're getting incorrect results. The documentation for the transaction command doesn't show months as being a valid time specifier for the maxspan argument.
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction