Solved: Make a slippery transaction within 20 events, how ...

collier31200 · ‎07-22-2015

Hello all,

I'm trying to make a slippery transaction within 20 events.
For example, my search return 40 events and I need to calculate the duration between:
the first event and the twentieth,
the second and the twenty first,
the third and the twenty second
etc...

With this:

transaction Routed maxevents=20 mvlist=t

Splunk only calculates 2 durations: between the first event and the twentieth, and the twenty first and the fortieth.

Please HELPPP 🙂

martin_mueller · ‎07-22-2015

If you're only looking for the duration you can use this:

index=foo sourcetype=bar Routed=* | streamstats window=20 global=f range(_time) as duration by Routed

Note, the first nineteen events may compute the duration between 1 and 1, 1 and 2, ..., 1 and 19.

View solution in original post

martin_mueller · ‎07-22-2015

If you're only looking for the duration you can use this:

index=foo sourcetype=bar Routed=* | streamstats window=20 global=f range(_time) as duration by Routed

Note, the first nineteen events may compute the duration between 1 and 1, 1 and 2, ..., 1 and 19.

collier31200 · ‎07-27-2015

Thanks a lot, perfectly doing what I want 🙂
I used:
where row >20
to remove the twenty first events

Make a slippery transaction within 20 events, how do I calculate the duration between the 1st and 20th event, 2nd and 21st, etc?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!