Solved: Get 10 minutes before 1 minute

mkoh · ‎04-23-2018

If I search, I can see the count value of each field for one minute, and also want to know the sum count value 10 minutes before that.

For example
At FFM_count 2 on 20170101 00:15:00
Please see the FFM_count sum from 201701 00:04 to 201701 00:14.

Is it possible for a splunk to express this way?
If possible, I'd like to know how.

woodcock · ‎05-09-2018

Like this:

YOUR SEARCH HERE
| streamstats current=f window=10 sum(*count) AS sum_last_10_*count

woodcock · ‎05-09-2018

Like this:

YOUR SEARCH HERE
| streamstats current=f window=10 sum(*count) AS sum_last_10_*count

woodcock · ‎05-09-2018

Actually, I think that you need a | reverse in there above the | streamstats or you will be getting the 10 after, not before.

Shan · ‎04-23-2018

host=* source=* earliest=-10m latest=now (Try this in your query and let me know whether it helps) . For more reference . Go through the below link.

Shan · ‎04-26-2018

@mkoh - Do the above command helps you ..

Get 10 minutes before 1 minute