Splunk Search

Counting events within a rolling window (last X seconds from the event's time)

Kindred
Path Finder

Hey everyone,

Given the following dummy events, how can I maintain a count of the events (by FIELD_X) based on a rolling window from the point of the current event, where the window span is say the last 30 seconds?

2013-02-25 00:00 FIELD_1 message         -- FIELD_1 count = 1
2013-02-25 00:10 FIELD_3 message         -- FIELD_3 count = 1
2013-02-25 00:20 FIELD_2 message         -- FIELD_2 count = 1
2013-02-25 00:30 FIELD_1 message         -- FIELD_1 count = 2 (2 events in the last 30 seconds from this FIELD)
2013-02-25 00:40 FIELD_2 message         -- FIELD_2 count = 2 (2 events in the last 30 seconds from this FIELD)
2013-02-25 00:50 FIELD_3 message         -- FIELD_3 count = 1 (since it was 40 seconds since last FIELD_3)

I then just want to include this count in the search result.

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ignoring the by FIELD_X you can do this:

...  | eval window = 30 | concurrency duration=window

I'll have a think about grouping that...

martin_mueller
SplunkTrust
SplunkTrust

You could work yourself around that with bin span=1s count somethingorother, then you can use streamstats' event window just like you use a rolling seconds window.

Edit: http://splunk-base.splunk.com/answers/72115/streamstats-with-time-window

0 Karma

Ayn
Legend

There's also streamstats which has a window option, but unfortunately the window is defined by number of events, not amount of time.

0 Karma

Kindred
Path Finder

Yeah its the grouping part that's needed, otherwise concurrency is across all of them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...