![]() ![]() (And for extra credit, how would I redo the first query to do option 1 and 2? I keep trying to modify the query and does not give me the expected results. How could I redo that query to omit the count field? This is fine except when I turn this into a bar chart, the count column skews the other values (since it is so much larger). However, this includes the count field in the results. ![]() I have tried option three with the following query: normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 I don't really know how to do any of these (I'm pretty new to Splunk). Show only the results where count is greater than, say, 10. Do note, however, that exporting too many events in that manner (typically, several millions) could cause Splunkweb to misbehave and possibly to become temporarily unresponsive. There are 3 ways I could go about this:ģ. As of Splunk 4.3, you can now export an unlimited number of events from the UI. If the user does not use the BY clause, he gives only one record showing the average number of the field containing all the events. There is a process counter that starts at event1 and runs until the end doing i++ basically. Finding the average: a user can use the avg () function for finding the average of a numeric field the function takes up the name of the field as the input. Splunk Ordering with the stats command, you can specify a list of fields in the BY clause. I am using streamstats to find anomalies between my events. If no number is specified, the default limit of 10000 is used. I'd like to remove that result so I just show the three, because I am interested in the visualization of this (and I don't want a random 4th result). Hi, I almost created my own post but I found this one which is close enough to my question. In fact, there are only 2 or 3 logs of the "successfullogin" whereas there are 40,000+ of all the other. The "successfullogin" exists in the logs because of tests done against the production environment, but doesn't reflect useful data. So an issue I run into is it matches both where detail equals "successfulLogin" as well as "successfullogin" (with a second lowercase L). Stats avg(elapsed), median(elapsed), p90(elapsed) by detail I have an example query where I show the elapsed time for all log lines where detail equals one of three things, and I show the stats of the elapsed field: normalized_source=http_plugin (detail=/online/public/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |