Splunk Search

Average a series of future times against current time

mlg
Observer

Hi,

I am new to Splunk and working with parking records. I am calculating the current wait_time based off upcoming parking expiry times.

Within my monitored data each record has the following fields:

  1. arrival_time, the time data was created, which is when the car parked
  2. permit_expiry, which is a couple of hours after the creation time
  3. parking_space, which is a number between 1 and 99, that doesn't repeat until the permit_expiry has passed.

I have the steps I wish to use to display this, but am unsure how to construct a query to achieve the result.

  1.  Check how many parking_space are curently in use (which should be a number between 0 & 99):
    1. sourcetype="parking_log" 
      | where permit_expiry > now()
      | stats count by parking_space
  2. Find the next 5 earliest upcoming permit_expiry times and minus them from the current time.
    1. | where permit_expiry > now() limit=5
      | for each permit_expiry: num_minutes=permit_expiry-arrival_time
  3. If the number of used parking_space is less than 99, for each parking_space that is free (98,97,96) replace the latest permit_expiry time with 0. if the count(parking_space) is less than 94 than all 5 numbers between 0
  4. display the average of the five numbers (which may include both 0s and the calcluated num_minutes.

Many thanks!

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

That's interesting if you don't have any way of prolonging the initial permit time and you don't validate the actual freeing of the permit. But hey, that's your business model :winking_face:

But seriously.

1. The "where" seems ok but if you need one aggregate count, you don't do the "by parking_space". You just do "stats count".

2. Oh, no. You don't do declarative programming in SPL. Sometimes you can use foreach but very rarely. It's definitely not the case. The first where is mostly OK, but without the limit. But then you should simply sort it by permit_expiry and use top (or bottom) to get first or last 5 results.

3. What do you mean by "replace"?

4. Of which numbers?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...