Hey everyone,
Given the following dummy events, how can I maintain a count of the events (by FIELD_X) based on a rolling window from the point of the current event, where the window span is say the last 30 seconds?
2013-02-25 00:00 FIELD_1 message -- FIELD_1 count = 1
2013-02-25 00:10 FIELD_3 message -- FIELD_3 count = 1
2013-02-25 00:20 FIELD_2 message -- FIELD_2 count = 1
2013-02-25 00:30 FIELD_1 message -- FIELD_1 count = 2 (2 events in the last 30 seconds from this FIELD)
2013-02-25 00:40 FIELD_2 message -- FIELD_2 count = 2 (2 events in the last 30 seconds from this FIELD)
2013-02-25 00:50 FIELD_3 message -- FIELD_3 count = 1 (since it was 40 seconds since last FIELD_3)
I then just want to include this count in the search result.
Ignoring the by FIELD_X you can do this:
... | eval window = 30 | concurrency duration=window
I'll have a think about grouping that...
You could work yourself around that with bin span=1s count somethingorother, then you can use streamstats' event window just like you use a rolling seconds window.
Edit: http://splunk-base.splunk.com/answers/72115/streamstats-with-time-window
There's also streamstats
which has a window option, but unfortunately the window is defined by number of events, not amount of time.
Yeah its the grouping part that's needed, otherwise concurrency is across all of them.