Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Streamstats reset at 9.00am every day, even without a 9.00am event

davidjaniec
Explorer
‎09-10-2021 04:27 AM

I'm very stuck, how can I have a streamstats function accumulate a total and reset at 9.00am every day? 

It's straightforward if I have an event at 9.00am, but if the last event was at say 8.55am, then the next event is at 9.15am, the reset occurs, however, it will continue to reset for all events which occur between 9.00am and 9.59am as the statement remains true throughout the hour below in my example.

index=main | eval Hour=strftime(_time,"%H")
| streamstats reset_after="("Hour==09")" sum(Result) as Total

I tried to experiment with specifying the minute, but the same situation exists if the 9.00am minute does not exist.

index=main | eval Hour=strftime(_time,"%H%M")
| streamstats reset_after="("Hour==0900")" sum(Result) as Total

I think I need to either make a lookup to create an event every 9 am for each day, but I couldn't figure that out if the time range was greater than one day. I experimented with makeresults to create an event, but this needed an append which messed up all of my other parts of the query.

I think the most elegant way to do this is to have an event created for every 9 am before the query is made, but I can't figure it out, any advice/ideas are welcomed!

 

Dave

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 06:29 AM 
| eval _day=relative_time(_time,"-9h@d")
| streamstats sum(Result) as Total by _day

View solution in original post

0 Karma
Reply
Solved! Jump to solution

davidjaniec
Explorer
‎09-15-2021 07:28 PM

I'll admit I still haven't had success with this, can you explain why this doesn't work?

 

| makeresults count=5
| streamstats count
| eval age = case(count=1, 25, count=2, 39, count=3, 31, count=4, null())
| eval city = case(count=1 OR count=3, "San Francisco", count=2 OR count=4, "Seattle")
| eval _day=relative_time(_time,"-9h@d")

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 06:29 AM 
| eval _day=relative_time(_time,"-9h@d")
| streamstats sum(Result) as Total by _day
0 Karma
Reply
Solved! Jump to solution

davidjaniec
Explorer
‎09-10-2021 06:45 AM

Thanks for the reply, but isn't that relative to when you run it? Not absolute at 9 am every day?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 06:56 AM

The function works on the arguments given - _time is the time from each event, -9 hours takes any _time before 9am into the previous day, and @day snaps to the beginning of that day.

Reply
Solved! Jump to solution

davidjaniec
Explorer
‎09-10-2021 04:58 PM

Ahh brilliant thanks so much, I didn't have a derived timestamp in the data so I didn't recognise it. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...