topic Re: Event sampling with specific event gaps for multiple hosts in Splunk Search

Event sampling with specific event gaps for multiple hosts

AshimaE — Thu, 15 Jun 2017 09:57:08 GMT

I have multiple hosts in my result table and there is no specific sampling interval for each. However it is sure that in every host there are events at every 15 minutes though there can be variable number/ time of other events in between. How do I select the 15 minutes events from every host separately since I have to take the stats of the fields for every host separately.

Re: Event sampling with specific event gaps for multiple hosts

rjthibod — Thu, 15 Jun 2017 10:19:13 GMT

Can you share some of your SPL query and/or raw data? I am having a difficult time understanding what exactly you mean.

Re: Event sampling with specific event gaps for multiple hosts

woodcock — Fri, 16 Jun 2017 01:53:40 GMT

You can use this:

... | bin _time span=15m

This will round all events down to the nearest 15-minute boundary. Now you can do your other magic.

Re: Event sampling with specific event gaps for multiple hosts

DalJeanis — Fri, 16 Jun 2017 03:12:10 GMT

If you want to average the samples in every 15m interval
...
| bin _time span=15m
| stats avg(Value) as Value by _time host

If you want the first event out of every 15 minute interval and you know there will always be one...
...
| bin _time as Time span=15m
| stats earliest(Value) as Value by Time host