Splunk Search

How do I compute the range between 2 values of _time with streamstats?

davietch
Path Finder

Hi,

I am trying to compute statistics about the Splunk data. To do so, I've got a datamodel with the number of events per host/sourcetype for each hour.

So I can query it this way:

| tstats  count from datamodel="Splunk_Stats" where nodename="Host.Host_Per_Hour" Host.orig_host="*" Host.orig_sourcetype="*" AND earliest=-31d latest=@h by Host.orig_host,Host.orig_sourcetype,_time span=1h
| rename Host.orig_host AS orig_host, Host.orig_sourcetype AS orig_sourcetype

This works but then, I want to compute the range (difference between 2 successive values) of _time for each host/sourcetype.
So I add:

... | streamstats global=false window=2 range(_time) AS r_time by orig_host, orig_sourcetype  

I do global=false and window=2, because, from my understanding, it will make Splunk compute the range for every two successive values for each individual host/sourcetype couple.

For example:

sourcetype      _time
A                today
B                today
A                2 days ago
A                3 days ago
A                4 days ago

So the streamstats commands adds:

sourcetype      _time            r_time
A                today           0
B                today           0
A                2 days ago      2
A                3 days ago      1
A                4 days ago      1

Now, when I do this, it works if I filter down to a specific source type in my tstats command. But when there are several (a lot of) source types all mixed together (because I don't filter), the streamstats command does not compute the range and there is no r_time column...

Any idea how to make it work?

0 Karma

davietch
Path Finder

Anyone please ?

0 Karma

493669
Super Champion

@davietch,
It seems fieldnames are not getting recognized. can you try below-

 ... | streamstats global=false window=2 range(_time) AS r_time by Host.orig_host, Host.orig_sourcetype  
0 Karma

davietch
Path Finder

Hi,

As you can see above, I did a "rename" command. Moreover, some host/sourcetype couple are well computed. But not all..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...