Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Streamstats reset at 9.00am every day, even without a 9.00am event

davidjaniec
Explorer
‎09-10-2021 04:27 AM

I'm very stuck, how can I have a streamstats function accumulate a total and reset at 9.00am every day? 

It's straightforward if I have an event at 9.00am, but if the last event was at say 8.55am, then the next event is at 9.15am, the reset occurs, however, it will continue to reset for all events which occur between 9.00am and 9.59am as the statement remains true throughout the hour below in my example.

index=main | eval Hour=strftime(_time,"%H")
| streamstats reset_after="("Hour==09")" sum(Result) as Total

I tried to experiment with specifying the minute, but the same situation exists if the 9.00am minute does not exist.

index=main | eval Hour=strftime(_time,"%H%M")
| streamstats reset_after="("Hour==0900")" sum(Result) as Total

I think I need to either make a lookup to create an event every 9 am for each day, but I couldn't figure that out if the time range was greater than one day. I experimented with makeresults to create an event, but this needed an append which messed up all of my other parts of the query.

I think the most elegant way to do this is to have an event created for every 9 am before the query is made, but I can't figure it out, any advice/ideas are welcomed!

 

Dave

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 06:29 AM 
| eval _day=relative_time(_time,"-9h@d")
| streamstats sum(Result) as Total by _day

View solution in original post

0 Karma
Reply
Solved! Jump to solution

davidjaniec
Explorer
‎09-15-2021 07:28 PM

I'll admit I still haven't had success with this, can you explain why this doesn't work?

 

| makeresults count=5
| streamstats count
| eval age = case(count=1, 25, count=2, 39, count=3, 31, count=4, null())
| eval city = case(count=1 OR count=3, "San Francisco", count=2 OR count=4, "Seattle")
| eval _day=relative_time(_time,"-9h@d")

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 06:29 AM 
| eval _day=relative_time(_time,"-9h@d")
| streamstats sum(Result) as Total by _day
0 Karma
Reply
Solved! Jump to solution

davidjaniec
Explorer
‎09-10-2021 06:45 AM

Thanks for the reply, but isn't that relative to when you run it? Not absolute at 9 am every day?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 06:56 AM

The function works on the arguments given - _time is the time from each event, -9 hours takes any _time before 9am into the previous day, and @day snaps to the beginning of that day.

Reply
Solved! Jump to solution

davidjaniec
Explorer
‎09-10-2021 04:58 PM

Ahh brilliant thanks so much, I didn't have a derived timestamp in the data so I didn't recognise it. Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...