streamstats event question

jperezes · ‎03-09-2017

Hi
I amb calculating the averge between two consecutive events using streamstats, the question is that I have to do it with a time passed in the event data, see JSON example:

{
product_name: Native Client
product_version: 1.0.03
userId: serfr342-204S88T05285
value: {
errorDetail:
action: Share
mediaStatistics: {
[ + ]
}
requestTimestamp: 2017 - 03 - 08T03: 47: 49.016Z
}
}

i have to calculate the average in a stream manner between "reqestTimestamp" to "requestTimestamp" for a given user, but I am not sure if streamstats look for that times and sort them in beforehand, it seems is mixing arrival times with this specified time, as I am getting negative values.

Thanks in advance,
Juan

DalJeanis · ‎03-09-2017

woodcock has given you code to pull the timestamp, and suggested the use of delta rather than streamstats for calculating the time difference. Delta is a great tool, but it needs to be enhanced with a "by field" option, to make this kind of thing easier.

Since you are calculating this on a PER USER basis, in a single search, delta is probably too much trouble to work with. Instead, use ...

| streamstats avg(requestTimestamp) as avgTimestamp by user window=2
| eval deltaTimestamp = 2*( requestTimestamp -avgTimestamp)

And, before you do the above, you need to convert the timestamp and sort the file by user/timestamp to handle your record order issue..

| eval requestTimestamp=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" 
| sort 0 user requestTimestamp

woodcock · ‎03-09-2017

Like this (NOTE: I am skeptical the whitespace in your sample data is the way that it actually is):

Your Base Search Here | eval rTime=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" | delta rTime AS requestDelta

streamstats event question

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!