Counting events within a rolling window (last X se...

Kindred · ‎02-25-2013

Hey everyone,

Given the following dummy events, how can I maintain a count of the events (by FIELD_X) based on a rolling window from the point of the current event, where the window span is say the last 30 seconds?

2013-02-25 00:00 FIELD_1 message         -- FIELD_1 count = 1
2013-02-25 00:10 FIELD_3 message         -- FIELD_3 count = 1
2013-02-25 00:20 FIELD_2 message         -- FIELD_2 count = 1
2013-02-25 00:30 FIELD_1 message         -- FIELD_1 count = 2 (2 events in the last 30 seconds from this FIELD)
2013-02-25 00:40 FIELD_2 message         -- FIELD_2 count = 2 (2 events in the last 30 seconds from this FIELD)
2013-02-25 00:50 FIELD_3 message         -- FIELD_3 count = 1 (since it was 40 seconds since last FIELD_3)

I then just want to include this count in the search result.

martin_mueller · ‎02-26-2013

Ignoring the by FIELD_X you can do this:

...  | eval window = 30 | concurrency duration=window

I'll have a think about grouping that...

martin_mueller · ‎02-26-2013

You could work yourself around that with bin span=1s count somethingorother, then you can use streamstats' event window just like you use a rolling seconds window.

Edit: http://splunk-base.splunk.com/answers/72115/streamstats-with-time-window

Ayn · ‎02-26-2013

There's also streamstats which has a window option, but unfortunately the window is defined by number of events, not amount of time.

Kindred · ‎02-26-2013

Yeah its the grouping part that's needed, otherwise concurrency is across all of them.

Counting events within a rolling window (last X seconds from the event's time)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms