topic Re: streamstats event question in Splunk Search

streamstats event question

jperezes — Thu, 09 Mar 2017 11:47:06 GMT

Hi
I amb calculating the averge between two consecutive events using streamstats, the question is that I have to do it with a time passed in the event data, see JSON example:

{
product_name: Native Client
product_version: 1.0.03
userId: serfr342-204S88T05285
value: {
errorDetail:
action: Share
mediaStatistics: {
[ + ]
}
requestTimestamp: 2017 - 03 - 08T03: 47: 49.016Z
}
}

i have to calculate the average in a stream manner between "reqestTimestamp" to "requestTimestamp" for a given user, but I am not sure if streamstats look for that times and sort them in beforehand, it seems is mixing arrival times with this specified time, as I am getting negative values.

Thanks in advance,
Juan

Re: streamstats event question

woodcock — Thu, 09 Mar 2017 15:10:56 GMT

Like this (NOTE: I am skeptical the whitespace in your sample data is the way that it actually is):

Your Base Search Here | eval rTime=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" | delta rTime AS requestDelta

Re: streamstats event question

DalJeanis — Thu, 09 Mar 2017 15:41:45 GMT

woodcock has given you code to pull the timestamp, and suggested the use of delta rather than streamstats for calculating the time difference. Delta is a great tool, but it needs to be enhanced with a "by field" option, to make this kind of thing easier.

Since you are calculating this on a PER USER basis, in a single search, delta is probably too much trouble to work with. Instead, use ...

| streamstats avg(requestTimestamp) as avgTimestamp by user window=2
| eval deltaTimestamp = 2*( requestTimestamp -avgTimestamp)

And, before you do the above, you need to convert the timestamp and sort the file by user/timestamp to handle your record order issue..

| eval requestTimestamp=strptime(requestTimestamp, "%Y - %m - %dT%H: %M: %S.%3N%Z" 
| sort 0 user requestTimestamp