Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

base streamstats on timestamps in data not arrival time

jperezes
Path Finder
‎03-08-2017 03:11 AM

Hi,
I have a question I don't know if is quite possible to do. I have to calculate some data between events, but not in the order of arrival but in the order the user did the action, using a timestamp passed into the event data to splunk.
So far the only way to get time statistics between events has been only successful if based on _time. i.e:

|streamstats current=f last(_time) as next_time by userId
|eval gap = next_time - _time
| stats count, avg(gap) as avg_gap, var(gap) as var_gap by userId

What I would want is the following but not working at all:

|eval timeStamp = strptime(value.timestamp,"%Y-%m-%dT%H:%M:%S.%3N%Z")
|streamstats current=f last(timeStamp) as next_time by userId
|eval gap = next_time - timeStamp
| stats count, avg(gap) as avg_gap, var(gap) as var_gap by userId

Thanks in advance!

Juan

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-08-2017 09:56 AM

You are missing spaces:

... | eval timeStamp = strptime(value.timestamp,"%Y - %m - %dT%H: %M: %S.%3N%Z") | ...
0 Karma
Reply

jperezes
Path Finder
‎03-08-2017 10:05 AM

Thanks woodcock, I think is ok now the time format doesn't have spaces:
2017-03-08T16:59:30.491Z

the trick was the tildes 'value.timestamp*'* just that 🙂

0 Karma
Reply

rjthibod
Champion
‎03-08-2017 03:25 AM

Can you provide an example raw event so we can see the fields?

0 Karma
Reply

jperezes
Path Finder
‎03-08-2017 03:35 AM

Sure thanks.
This is a sample of a relevant JSON data format received in the event, the action is Share so I would need, for example, to get statistics between one share and the next. But using requestTimestamp, not arrival time (_time), as this data can be sent to splunk way after it has been produced:

{
product_name: Native Client
product_version: 1.0.03
userId: serfr342-204S88T05285
value: {
errorDetail:
action: Share
mediaStatistics: {
[ + ]
}
requestTimestamp: 2017 - 03 - 08T03: 47: 49.016Z
}
}

0 Karma
Reply

rjthibod
Champion
‎03-08-2017 03:54 AM

Does the line

|eval timeStamp = strptime(value.timestamp,"%Y-%m-%dT%H:%M:%S.%3N%Z")

Actually return an epoch value that is correct or is that failing?

0 Karma
Reply

jperezes
Path Finder
‎03-08-2017 04:10 AM

Failing is not, I actually added timestamp for simplicity in the first question but is correct as requestTimestamp in the real search.
Not 100% sure about the correct returned format though, is there a way to easily check a time value.
Thanks a million.

0 Karma
Reply

rjthibod
Champion
‎03-08-2017 04:32 AM

The field timestampt should be a number representing the epoch seconds equivalent to the string in value.timestamp. So, are you seeing correct values in timestamp if you stop your query after that line?

0 Karma
Reply

jperezes
Path Finder
‎03-08-2017 09:05 AM

Hi, found the issue, second time that happens to me and drives me crazy...

instead of
strptime(value.timestamp,"%Y-%m-%dT%H:%M:%S.%3N%Z")

should be

strptime('value.timestamp',"%Y-%m-%dT%H:%M:%S.%3N%Z")

thanks for the help on finding that.
Juan

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...