Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

total change in a field every time another field changes

atreece
Path Finder
‎02-07-2012 08:09 AM

I am working on a game, and have been asked to create an interesting dashboard.
My superiors want to know how long it takes a player to level up. however, they want it in played time, not world time. the field we are using for played time is an integer representing the total time (in milliseconds) that a player has been logged into the game. How would I go about creating a search that gives me the difference in the played_time field every time a player levels up? (signified by a level up event where the player's level has been increased)

I have tried a transaction search (suggested from a previous question), but the only way I could think of to make it count for played_time ( ... | eval _time=played_time ...) returned many fewer results than the regular search, and took a long time.

Any suggestions? the fields I need to use are player_name, player_level, and played_time.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lamar
Splunk Employee
Splunk Employee
‎02-07-2012 11:21 AM

First, you would need snapshots of data that define at what point (meaning, the number of milliseconds) they level up. The more exact the snapshots, the more exact your timings will be between each event, or level.

If you actually get log events that tell you exactly when they leveled and what their played was its just simple math from that point.

... LEVEL_EVENT | eval level_timespan=played_time - level_time | transaction player_name maxevents=2

You could even throw the duration in there which you'll have which will help you define how long the event took in real world minutes.

Hope that helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lamar
Splunk Employee
Splunk Employee
‎02-07-2012 11:21 AM

First, you would need snapshots of data that define at what point (meaning, the number of milliseconds) they level up. The more exact the snapshots, the more exact your timings will be between each event, or level.

If you actually get log events that tell you exactly when they leveled and what their played was its just simple math from that point.

... LEVEL_EVENT | eval level_timespan=played_time - level_time | transaction player_name maxevents=2

You could even throw the duration in there which you'll have which will help you define how long the event took in real world minutes.

Hope that helps.

Reply
Solved! Jump to solution

atreece
Path Finder
‎02-16-2012 06:29 AM

That is giving me exactly what I need! Thank you!

0 Karma
Reply
Solved! Jump to solution

Lamar
Splunk Employee
Splunk Employee
‎02-15-2012 11:41 AM

This should work better for you, I had to put some dummy data together to really understand what you're trying to do.


... LEVEL_EVENT | head 2 | transaction character_name | stats max(played_time) as max, min(played_time) as min | eval level_time=max - min

Also, keep in mind that if you wanted to do a more surgical search like what was the time spent between certain levels. Do this:


LEVEL_EVENT level=25 OR level=26 | head 2 | transaction character_name | stats max(played_time) as max, min(played_time) as min | eval level_time=max - min

0 Karma
Reply
Solved! Jump to solution

Lamar
Splunk Employee
Splunk Employee
‎02-14-2012 01:53 PM

Probably. Instead of using transaction just use 'search player_name' and use 'head 2' That should help.

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-14-2012 01:28 PM

thank you, that's giving me results.
But I can't seem to get the level_time to return anything... could it be because of how transaction groups events?

0 Karma
Reply
Solved! Jump to solution

Lamar
Splunk Employee
Splunk Employee
‎02-10-2012 07:11 AM

I see what you're trying to do.

Basically, you want to take the played_time field from each event and do math on that.

Try this:


... LEVEL_EVENT |eval total_time=total_time + played_time | transaction player_name maxevents=2 | eval level_time=total_time - played_time | top 1

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-09-2012 10:55 AM

Ok, I think I need to provide some more information. The amount of time that they have played is given when they level up, but I am looking to find out how long it takes them to level up using their played time. I need to compare two events to do so, I think. The first being the most recent level up event, and the previous level up event, or, if they gained their first level, then I can just use the played_time from the event. Any ideas as to the best solution for that?

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-07-2012 12:27 PM

That looks promising...
and simple! I'll try it, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...