Splunk Enterprise

How to limit results with a condition before retrieving the final results

smirambe
Engager

Dear experts,

I apologize but I am new on Splunk and I have a question which can be really simple for you ...

I have just uploaded a file Inside Splunk for SAP jobs analyzing. The format is really simple :
JobName | StartDate | Duration

I have retrieved the jobs with the highest execution duration by the search -> stats count(JobName) avg(Duration_sec) by JobName

However, I want to add the following condition "Only the JobName with more than 100 exécutions should be counted".

How can I modify my query ?

Thanks really in advance.

Regards.

Stéphane

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Perhaps this is what you are looking for.

stats count(JobName) as Executions avg(Duration_sec) by JobName | where Executions > 100
---
If this reply helps you, Karma would be appreciated.

View solution in original post

smirambe
Engager

Thanks really for all, both solutions work perfectly. The second one is perhaps simplest ...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this is what you are looking for.

stats count(JobName) as Executions avg(Duration_sec) by JobName | where Executions > 100
---
If this reply helps you, Karma would be appreciated.

TiagoTLD1
Communicator

Hi

1st scenario: gives you the jobs that were executed more than 100 times

| stats count(JobName) AS COUNTER avg(Duration_sec) AS AVG_DURATION by JobName | where COUNTER>100 | table JobName, AVG_DURATION

2nd scenario: if you want to calculate the avg_duration of jobs that were executed more than 100 times, you can do this:

| eventstats count(JobName) AS COUNTER by JobName | where COUNTER>100 | stats avg(Duration) as AVG_DURATION by JobName | table JobName, AVG_DURATION

That returns only the

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...