Splunk Search

streamstats event question

jperezes
Path Finder

Hi
I amb calculating the averge between two consecutive events using streamstats, the question is that I have to do it with a time passed in the event data, see JSON example:

{
product_name: Native Client
product_version: 1.0.03
userId: serfr342-204S88T05285
value: {
errorDetail:
action: Share
mediaStatistics: {
[ + ]
}
requestTimestamp: 2017 - 03 - 08T03: 47: 49.016Z
}
}

i have to calculate the average in a stream manner between "reqestTimestamp" to "requestTimestamp" for a given user, but I am not sure if streamstats look for that times and sort them in beforehand, it seems is mixing arrival times with this specified time, as I am getting negative values.

Thanks in advance,
Juan

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

woodcock has given you code to pull the timestamp, and suggested the use of delta rather than streamstats for calculating the time difference. Delta is a great tool, but it needs to be enhanced with a "by field" option, to make this kind of thing easier.

Since you are calculating this on a PER USER basis, in a single search, delta is probably too much trouble to work with. Instead, use ...

| streamstats avg(requestTimestamp) as avgTimestamp by user window=2
| eval deltaTimestamp = 2*( requestTimestamp -avgTimestamp)

And, before you do the above, you need to convert the timestamp and sort the file by user/timestamp to handle your record order issue..

| eval requestTimestamp=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" 
| sort 0 user requestTimestamp
0 Karma

woodcock
Esteemed Legend

Like this (NOTE: I am skeptical the whitespace in your sample data is the way that it actually is):

Your Base Search Here | eval rTime=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" | delta rTime AS requestDelta
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...