Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

streamstats event question

jperezes
Path Finder
‎03-09-2017 03:47 AM

Hi
I amb calculating the averge between two consecutive events using streamstats, the question is that I have to do it with a time passed in the event data, see JSON example:

{
product_name: Native Client
product_version: 1.0.03
userId: serfr342-204S88T05285
value: {
errorDetail:
action: Share
mediaStatistics: {
[ + ]
}
requestTimestamp: 2017 - 03 - 08T03: 47: 49.016Z
}
}

i have to calculate the average in a stream manner between "reqestTimestamp" to "requestTimestamp" for a given user, but I am not sure if streamstats look for that times and sort them in beforehand, it seems is mixing arrival times with this specified time, as I am getting negative values.

Thanks in advance,
Juan

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎03-09-2017 07:41 AM

woodcock has given you code to pull the timestamp, and suggested the use of delta rather than streamstats for calculating the time difference. Delta is a great tool, but it needs to be enhanced with a "by field" option, to make this kind of thing easier.

Since you are calculating this on a PER USER basis, in a single search, delta is probably too much trouble to work with. Instead, use ...

| streamstats avg(requestTimestamp) as avgTimestamp by user window=2
| eval deltaTimestamp = 2*( requestTimestamp -avgTimestamp)

And, before you do the above, you need to convert the timestamp and sort the file by user/timestamp to handle your record order issue..

| eval requestTimestamp=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" 
| sort 0 user requestTimestamp
0 Karma
Reply

woodcock
Esteemed Legend
‎03-09-2017 07:10 AM

Like this (NOTE: I am skeptical the whitespace in your sample data is the way that it actually is):

Your Base Search Here | eval rTime=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" | delta rTime AS requestDelta
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...