Solved: Re: How to only show stats max(value) where min(va...

chriselst · ‎03-31-2015

Hi all, just getting started and trying to get something together quickly to show management so forgive asking what is probably a trivial question.

I have a log file which is written to each minute with a count of messages in a number of queues. I have a chart showing those queues with a none zero count over the last five minutes.

source=".log" id="queue.*" value>0 | stats max(value) by id

I want it to only display queues where the count has not been zero in the previous five minutes as I only care about queues that are not emptying.

I have tried things along the lines of

source=".log" id="queue.*" value>0 | stats max(value) by id | where min(value) > 0

But cannot get it right, can someone point me in the right direction please.

vganjare · ‎03-31-2015

HI,

Following query should help:

source=".log" id="queue.*"  | stats max(value) as MAX, min(value) as MIN by id | where MIN  > 0

Thanks!!

View solution in original post

vganjare · ‎03-31-2015

HI,

Following query should help:

source=".log" id="queue.*"  | stats max(value) as MAX, min(value) as MIN by id | where MIN  > 0

Thanks!!

How to only show stats max(value) where min(value) is greater than 0 in the last 5 minutes?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio