Re: Calculate cumulative time from first event in ...

smahoney · ‎12-16-2020

Basically data looks like this. I want to calculate the average time to complete an order across many orders each with different amounts of items.

_time,orderId,"receivedOrder"
_time,itemId,orderId,"completedItemProcessing"
_time,itemId,orderId,"completedItemProcessing"
_time,itemId,orderId,"completedItemProcessing"

I have a query that works, but its hugely inefficient and throws errors due to hitting the stats limit. There has to be a better way to do this, streamstats or delta just gave me the duration from the previous event in the chain and I need to have that evaluate against the order time for all items in an order, not the previous item.

index=index "@mt"="itemComplete" OR @mt="orderReceived" 
| fillnull value=orderReceived itemComplete
| stats earliest(_time) as orderReceived list(itemId) as itemId,list(_time) as prepTime by orderId 
| mvexpand prepTime
| eval timeToPrep=prepTime-orderReceived 
| stats avg(timeToPrep) as avgItemCompletedDuration
| where startOfPreperation>0

ITWhisperer · ‎12-17-2020

What about streamstats earliest(_time) as start latest(_time) as end by orderId, Then each event should have the start and end time of the whole order.

Calculate cumulative time from first event in group for each event

other

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All