Splunk Search

total change in a field every time another field changes

atreece
Path Finder

I am working on a game, and have been asked to create an interesting dashboard.
My superiors want to know how long it takes a player to level up. however, they want it in played time, not world time. the field we are using for played time is an integer representing the total time (in milliseconds) that a player has been logged into the game. How would I go about creating a search that gives me the difference in the played_time field every time a player levels up? (signified by a level up event where the player's level has been increased)

I have tried a transaction search (suggested from a previous question), but the only way I could think of to make it count for played_time ( ... | eval _time=played_time ...) returned many fewer results than the regular search, and took a long time.

Any suggestions? the fields I need to use are player_name, player_level, and played_time.

Tags (1)
0 Karma
1 Solution

Lamar
Splunk Employee
Splunk Employee

First, you would need snapshots of data that define at what point (meaning, the number of milliseconds) they level up. The more exact the snapshots, the more exact your timings will be between each event, or level.

If you actually get log events that tell you exactly when they leveled and what their played was its just simple math from that point.

... LEVEL_EVENT | eval level_timespan=played_time - level_time | transaction player_name maxevents=2

You could even throw the duration in there which you'll have which will help you define how long the event took in real world minutes.

Hope that helps.

View solution in original post

Lamar
Splunk Employee
Splunk Employee

First, you would need snapshots of data that define at what point (meaning, the number of milliseconds) they level up. The more exact the snapshots, the more exact your timings will be between each event, or level.

If you actually get log events that tell you exactly when they leveled and what their played was its just simple math from that point.

... LEVEL_EVENT | eval level_timespan=played_time - level_time | transaction player_name maxevents=2

You could even throw the duration in there which you'll have which will help you define how long the event took in real world minutes.

Hope that helps.

atreece
Path Finder

That is giving me exactly what I need! Thank you!

0 Karma

Lamar
Splunk Employee
Splunk Employee

This should work better for you, I had to put some dummy data together to really understand what you're trying to do.


... LEVEL_EVENT | head 2 | transaction character_name | stats max(played_time) as max, min(played_time) as min | eval level_time=max - min

Also, keep in mind that if you wanted to do a more surgical search like what was the time spent between certain levels. Do this:


LEVEL_EVENT level=25 OR level=26 | head 2 | transaction character_name | stats max(played_time) as max, min(played_time) as min | eval level_time=max - min

0 Karma

Lamar
Splunk Employee
Splunk Employee

Probably. Instead of using transaction just use 'search player_name' and use 'head 2' That should help.

0 Karma

atreece
Path Finder

thank you, that's giving me results.
But I can't seem to get the level_time to return anything... could it be because of how transaction groups events?

0 Karma

Lamar
Splunk Employee
Splunk Employee

I see what you're trying to do.

Basically, you want to take the played_time field from each event and do math on that.

Try this:


... LEVEL_EVENT |eval total_time=total_time + played_time | transaction player_name maxevents=2 | eval level_time=total_time - played_time | top 1

0 Karma

atreece
Path Finder

Ok, I think I need to provide some more information. The amount of time that they have played is given when they level up, but I am looking to find out how long it takes them to level up using their played time. I need to compare two events to do so, I think. The first being the most recent level up event, and the previous level up event, or, if they gained their first level, then I can just use the played_time from the event. Any ideas as to the best solution for that?

0 Karma

atreece
Path Finder

That looks promising...
and simple! I'll try it, thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...