Splunk Search

Find Maximum Time Period Between Occurences of a Specified Condition

essklau
Path Finder

Hello,

I'd like to find a way to return the longest stretch of time where a condition did not occur. Specifically, what is the longest stretch of time in which sourcetype=X had no events.

Streamstats seems like the right command to start with, but my attempt fails:

host=HOST1 sourcetype=*
 | streamstats current=f last(_time) as LastTime by host
 | eval delay=_time-LastTime
 | stats max(delay) by host

Thank you.

Edit: streamstats tag doesn't exist, and I can't create it. Any tag suggestions?

Tags (1)
0 Karma

tom_frotscher
Builder

Hey, you are absolutely on the right way. Just one little misstake. You interchanged _time and LastTime. You need to calculate

delay = LastTime - _time

In your calculation, _time is always smaller than LastTime, therefore you get negative values, or 0 if the _time and LastTime are equivalent. If you calculate the max, you will always get 0 as result, because it is greater than a negative number.

Therefore try:

index=_internal sourcetype=splunkd
| streamstats current=f last(_time) as LastTime by host
| eval delay=LastTime - _time
| stats max(delay) by host

Greetings

Tom

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...