Solved: How to find the expected frequency of an index?

POR160893 · ‎02-10-2023

Hi,

I am writing a query here to calculate the expected frequency of data in an index :

index=ABC
| eval time_diff=_time-lag(_time)
| stats avg(time_diff) as avg_time_diff

However, when I try and run it, I receive the following error message:

Error in 'eval' command: The 'lag' function is unsupported or undefined.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Can you please help?

gcusello · ‎02-10-2023

Hi @POR160893,

yes there's this function, it's "delta" (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta)

Ciao.

Giuseppe

View solution in original post

gcusello · ‎02-10-2023

Hi @POR160893,

sorry: where did you find the lag function?

what do you want to calculate with it?

Ciao.

Giuseppe

POR160893 · ‎02-10-2023

I assumed Splunk has a lag function. I use it quiet a lot in my SQL queries. I need it to calculate the time difference between each event and the previous event. This is because I would then alculats the average value of the "time_diff" field, giving you an estimate of the expected frequency of data in the index.

gcusello · ‎02-10-2023

Hi @POR160893,

yes there's this function, it's "delta" (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta)

Ciao.

Giuseppe

POR160893 · ‎02-10-2023

Thanks, I changed my query to this then:

gcusello · ‎02-10-2023

Hi @POR160893,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to find the expected frequency of an index?

data model

other

saved search

summary indexing

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!