Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude values from evaluation ?

zacksoft
Contributor
‎01-29-2018 06:04 AM

I have a list of values for trans_time field ranging from 0 to 45000 (not continious values).
I am performing some calculations on it such as average, summation etc...

I only want to perform my eval calculations on values from until 1500. I have sorted the trans_time field. How to set up the condition such as all the follow up evals will only be calculated from 0 to 1500. All the values above should just be excluded.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-29-2018 06:33 AM

If you want to exclude from your calculations all events where trans_time<=1500, then you can add exactly that to your base search. So, for example, if your base search was index=main sourcetype=some_data, then you would change it to index=main sourcetype=some_data trans_time<=1500. If the trans_time field doesn't appear in your base search and is created by calculations earlier in the search pipeline, then you can add | search trans_time<=1500 after the field is created.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-29-2018 06:33 AM

If you want to exclude from your calculations all events where trans_time<=1500, then you can add exactly that to your base search. So, for example, if your base search was index=main sourcetype=some_data, then you would change it to index=main sourcetype=some_data trans_time<=1500. If the trans_time field doesn't appear in your base search and is created by calculations earlier in the search pipeline, then you can add | search trans_time<=1500 after the field is created.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-29-2018 06:10 AM

have you tried

| sort 1500 -_time
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-29-2018 06:32 AM

It shows the first 1500 items..
and my trans_time values are not continiuos like (1, 2, 3, 4 ..3tc..) they are more like 1, 8, 4, 13, 19 ...)
I just need to make sure that I operate only on values from trans_time field whose value is less than 1500.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...