Hi,
I am trying to compute statistics about the Splunk data. To do so, I've got a datamodel with the number of events per host/sourcetype for each hour.
So I can query it this way:
| tstats count from datamodel="Splunk_Stats" where nodename="Host.Host_Per_Hour" Host.orig_host="*" Host.orig_sourcetype="*" AND earliest=-31d latest=@h by Host.orig_host,Host.orig_sourcetype,_time span=1h
| rename Host.orig_host AS orig_host, Host.orig_sourcetype AS orig_sourcetype
This works but then, I want to compute the range (difference between 2 successive values) of _time for each host/sourcetype.
So I add:
... | streamstats global=false window=2 range(_time) AS r_time by orig_host, orig_sourcetype
I do global=false and window=2, because, from my understanding, it will make Splunk compute the range for every two successive values for each individual host/sourcetype couple.
For example:
sourcetype _time
A today
B today
A 2 days ago
A 3 days ago
A 4 days ago
So the streamstats commands adds:
sourcetype _time r_time
A today 0
B today 0
A 2 days ago 2
A 3 days ago 1
A 4 days ago 1
Now, when I do this, it works if I filter down to a specific source type in my tstats
command. But when there are several (a lot of) source types all mixed together (because I don't filter), the streamstats
command does not compute the range and there is no r_time column...
Any idea how to make it work?
Anyone please ?
@davietch,
It seems fieldnames are not getting recognized. can you try below-
... | streamstats global=false window=2 range(_time) AS r_time by Host.orig_host, Host.orig_sourcetype
Hi,
As you can see above, I did a "rename" command. Moreover, some host/sourcetype couple are well computed. But not all..