Re: Conditional Aggregate

bmer · ‎08-12-2022

I have below splunk which gets me all entityID's with count

index=coreprod pod=xxxx CASE(xxxxxx) event=ack |stats count by entityId |where count>1

I want to list ONLY those entityID's where the difference between their occurrence is less than 1hr (0r xx min

ITWhisperer · ‎08-12-2022

index=coreprod pod=xxxx CASE(xxxxxx) event=ack earliest=-1h | stats count by entityId |where count>1

bmer · ‎08-12-2022

Thanks @ITWhisperer But this is ONLY for LAST 1h. I want to pull all output of YESTERDAY and see within that how many duplicate events had a gap of 1h or 30m or xx

ITWhisperer · ‎08-12-2022

Do you mean something like this?

index=coreprod pod=xxxx CASE(xxxxxx) event=ack
| streamstats range(_time) as range global=f window=2 by entityId
| where range < 3600
| stats count

bmer · ‎08-12-2022

@ITWhisperer Let me try explaining with an example.My original splunk gives below output for YESTERDAY.I know that A2 and A3 event occurred within a span of 30min whereas BOTH the A1 events occurred within a gap of 2h

entityId	Count
A1	2
A2	2
A3	3

Iam trying to see (using splunk) if there is some way to list ONLY for YESTERDAY since these 2 records fulfil the criteria of having occurred within 30min

entityId	Count
A2	2
A3	3

ITWhisperer · ‎08-12-2022

| sort 0 _time
| streamstats range(_time) as range window=2 global=f by entityId
| eval range=if(range > 0,range,null())
| eventstats min(range) as range by entitiyId
| where range < 1800
| stats count by entityId
| eval count = count + 1

Conditional Aggregate- How to search all entityID's with count?

field extraction

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk