- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to filter numeric field with where clause?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, our application logs duration times of logged method calls as ..dT=XXXms.. and I would like to use this for nice splunk graphs.
This works brilliantly if I use a query like this (in advanced charting view)
eventtype="app" dT | timechart avg(dT)
My Problem is, that the application rarely logs absurdly high duration times going up to several years - clearly a bug of the logging framework we are using.
These high dT values sadly totally screw up my nice timechart graphs, and mess with statistics. How can I filter out these values?
I already tried filtering those log statements using a where clause, but so far this has not worked for me - result set stays empty.
eventtype="app" dT | where dT<3600000 | timechart avg(dT)
Any ideas would be much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fgysin,
you can use the filter in your base search like this:
eventtype="app" dT<3600000 | timechart avg(dT)
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fgysin,
you can use the filter in your base search like this:
eventtype="app" dT<3600000 | timechart avg(dT)
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome stuff, much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype="app" dT | eval dT = tonumber(substr(dT,0,len(dT)-2)) | where dT<3600000 | timechart avg(dT)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah I see. So how would I remove the ms? With the rex command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ahh I see, your field is like dT=XXXms ... so remove the ms first and then you can filter 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
take this run everywhere example:
index=_internal earliest=-2h@h latest=-1h@h kb | where kb<128 | stats count
index=_internal earliest=-2h@h latest=-1h@h kb<128 | stats count
both will return the same count. Is this dT field numeric or a string?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, that does not work for me... The is graph still plotting average values which lie in the millions and billions.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
