Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude values from evaluation ?

zacksoft
Contributor
‎01-29-2018 06:04 AM

I have a list of values for trans_time field ranging from 0 to 45000 (not continious values).
I am performing some calculations on it such as average, summation etc...

I only want to perform my eval calculations on values from until 1500. I have sorted the trans_time field. How to set up the condition such as all the follow up evals will only be calculated from 0 to 1500. All the values above should just be excluded.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-29-2018 06:33 AM

If you want to exclude from your calculations all events where trans_time<=1500, then you can add exactly that to your base search. So, for example, if your base search was index=main sourcetype=some_data, then you would change it to index=main sourcetype=some_data trans_time<=1500. If the trans_time field doesn't appear in your base search and is created by calculations earlier in the search pipeline, then you can add | search trans_time<=1500 after the field is created.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-29-2018 06:33 AM

If you want to exclude from your calculations all events where trans_time<=1500, then you can add exactly that to your base search. So, for example, if your base search was index=main sourcetype=some_data, then you would change it to index=main sourcetype=some_data trans_time<=1500. If the trans_time field doesn't appear in your base search and is created by calculations earlier in the search pipeline, then you can add | search trans_time<=1500 after the field is created.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-29-2018 06:10 AM

have you tried

| sort 1500 -_time
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-29-2018 06:32 AM

It shows the first 1500 items..
and my trans_time values are not continiuos like (1, 2, 3, 4 ..3tc..) they are more like 1, 8, 4, 13, 19 ...)
I just need to make sure that I operate only on values from trans_time field whose value is less than 1500.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...