Solved: How to find the expected frequency of an index?

POR160893 · ‎02-10-2023

Hi,

I am writing a query here to calculate the expected frequency of data in an index :

index=ABC
| eval time_diff=_time-lag(_time)
| stats avg(time_diff) as avg_time_diff

However, when I try and run it, I receive the following error message:

Error in 'eval' command: The 'lag' function is unsupported or undefined.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Can you please help?

gcusello · ‎02-10-2023

Hi @POR160893,

yes there's this function, it's "delta" (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta)

Ciao.

Giuseppe

View solution in original post

gcusello · ‎02-10-2023

Hi @POR160893,

sorry: where did you find the lag function?

what do you want to calculate with it?

Ciao.

Giuseppe

POR160893 · ‎02-10-2023

I assumed Splunk has a lag function. I use it quiet a lot in my SQL queries. I need it to calculate the time difference between each event and the previous event. This is because I would then alculats the average value of the "time_diff" field, giving you an estimate of the expected frequency of data in the index.

gcusello · ‎02-10-2023

Hi @POR160893,

yes there's this function, it's "delta" (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta)

Ciao.

Giuseppe

POR160893 · ‎02-10-2023

Thanks, I changed my query to this then:

gcusello · ‎02-10-2023

Hi @POR160893,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to find the expected frequency of an index?

data model

other

saved search

summary indexing

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update