Hi all!
I am working on task: Create cumulative chart for counting Success and Error entities, by 1 hour slice interval, with checking latest [Status] value by [ID] and [StatusDateTime] to every [Slice].
"Slice logic" - for example, exist next Events:
ID Status StatusDateTime
------------------------------
1 Error 2014-04-23 10:55
2 Success 2014-04-23 10:55
1 Success 2014-04-23 11:55
Need to get next result:
Slice Success Error
------------------------------------
2014-04-23 11:00 1 1
2014-04-23 12:00 2 0
I know how to calculate count separately for 1 hour periods:
index="log_index"
| eval GroupDate=strftime(relative_time(StatusDateTime, "+1h@h"), "%Y-%m-%d %H:%M")
| stats latest(Status) as Status by ID, GroupDate
| stats c(eval(Status="Success")) as SuccessCount, c(eval(Status="Error")) as ErrorCount by GroupDate
In SQL, I can do subqueries for each period and calculate it (specifying latest in Sub-Search as GroupDate). But, as I understood, Splunk does not support passing parameters/values from Main-Search to Sub-Search, is it true?
I do not have any ideas how to create needed cumulative logic.
Anyone can guide me please on this?
Thanks!
... View more