Solved: Cumulative counters with "slice" logic - Page 2

Nikita_Danilov · ‎04-23-2014

Hi all!

I am working on task: Create cumulative chart for counting Success and Error entities, by 1 hour slice interval, with checking latest [Status] value by [ID] and [StatusDateTime] to every [Slice].

"Slice logic" - for example, exist next Events:

ID   Status   StatusDateTime
------------------------------
1    Error    2014-04-23 10:55
2    Success  2014-04-23 10:55
1    Success  2014-04-23 11:55

Need to get next result:

Slice              Success    Error
------------------------------------
2014-04-23 11:00   1          1
2014-04-23 12:00   2          0

I know how to calculate count separately for 1 hour periods:

index="log_index"  
| eval GroupDate=strftime(relative_time(StatusDateTime, "+1h@h"), "%Y-%m-%d %H:%M")  
| stats latest(Status) as Status by ID, GroupDate  
| stats c(eval(Status="Success")) as SuccessCount, c(eval(Status="Error")) as ErrorCount by GroupDate

In SQL, I can do subqueries for each period and calculate it (specifying latest in Sub-Search as GroupDate). But, as I understood, Splunk does not support passing parameters/values from Main-Search to Sub-Search, is it true?

I do not have any ideas how to create needed cumulative logic.
Anyone can guide me please on this?

Thanks!

Nikita_Danilov · ‎05-05-2014

In the end, we decided to create an internal cumulative index and accumulate therein summary statistics using scheduled search (http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing).

Thank you all for your help!

View solution in original post

Cumulative counters with "slice" logic

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life