Find Time between events, including current Time.

jrnastase — Wed, 22 Aug 2018 13:23:03 GMT

Hello all,

I've seen examples of how to find time between events using streamstats, and also to find the time since the most recent event using stats, but how would I accomplish doing both?

Ultimately I'm trying to detect a loss of information that's reported every 10 minutes, so I'm using streamstats to search for differences of > 10 min, however this "outage" isn't detected until after the data is reported again, thus giving streamstats two items to actually compare. I need all of these deltas, and also the time since the most recent as occurred.

Thanks, and here's some code I have:

| streamstats current=t last(_time) as last_time by field 
| eval outage= last_time - _time
| eval outage=tostring(outage, "duration")
| table field _time outage

Re: Find Time between events, including current Time.

somesoni2 — Wed, 22 Aug 2018 16:18:23 GMT

Give this a try

search
| streamstats window=1 current=f values(_time) as last_time by field 
| eval last_time=if(isnull(last_time),now(),last_time)
| eval outage= abs(last_time - _time)
| where outage>600
| eval outage=tostring(outage, "duration")
| table field _time outage

topic Re: Find Time between events, including current Time. in Splunk Search

Find Time between events, including current Time.

Re: Find Time between events, including current Time.