Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Average a series of future times against current time

mlg
Observer
‎10-08-2021 01:56 AM

Hi,

I am new to Splunk and working with parking records. I am calculating the current wait_time based off upcoming parking expiry times.

Within my monitored data each record has the following fields:

  1. arrival_time, the time data was created, which is when the car parked
  2. permit_expiry, which is a couple of hours after the creation time
  3. parking_space, which is a number between 1 and 99, that doesn't repeat until the permit_expiry has passed.

I have the steps I wish to use to display this, but am unsure how to construct a query to achieve the result.

  1.  Check how many parking_space are curently in use (which should be a number between 0 & 99):
    1. sourcetype="parking_log" 
      | where permit_expiry > now()
      | stats count by parking_space
  2. Find the next 5 earliest upcoming permit_expiry times and minus them from the current time.
    1. | where permit_expiry > now() limit=5
      | for each permit_expiry: num_minutes=permit_expiry-arrival_time
  3. If the number of used parking_space is less than 99, for each parking_space that is free (98,97,96) replace the latest permit_expiry time with 0. if the count(parking_space) is less than 94 than all 5 numbers between 0
  4. display the average of the five numbers (which may include both 0s and the calcluated num_minutes.

Many thanks!

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-08-2021 06:56 AM

That's interesting if you don't have any way of prolonging the initial permit time and you don't validate the actual freeing of the permit. But hey, that's your business model 😉

But seriously.

1. The "where" seems ok but if you need one aggregate count, you don't do the "by parking_space". You just do "stats count".

2. Oh, no. You don't do declarative programming in SPL. Sometimes you can use foreach but very rarely. It's definitely not the case. The first where is mostly OK, but without the limit. But then you should simply sort it by permit_expiry and use top (or bottom) to get first or last 5 results.

3. What do you mean by "replace"?

4. Of which numbers?

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...