Find Maximum Time Period Between Occurences of a S...

essklau · ‎03-13-2015

Hello,

I'd like to find a way to return the longest stretch of time where a condition did not occur. Specifically, what is the longest stretch of time in which sourcetype=X had no events.

Streamstats seems like the right command to start with, but my attempt fails:

host=HOST1 sourcetype=*
 | streamstats current=f last(_time) as LastTime by host
 | eval delay=_time-LastTime
 | stats max(delay) by host

Thank you.

Edit: streamstats tag doesn't exist, and I can't create it. Any tag suggestions?

tom_frotscher · ‎03-13-2015

Hey, you are absolutely on the right way. Just one little misstake. You interchanged _time and LastTime. You need to calculate

delay = LastTime - _time

In your calculation, _time is always smaller than LastTime, therefore you get negative values, or 0 if the _time and LastTime are equivalent. If you calculate the max, you will always get 0 as result, because it is greater than a negative number.

Therefore try:

index=_internal sourcetype=splunkd
| streamstats current=f last(_time) as LastTime by host
| eval delay=LastTime - _time
| stats max(delay) by host

Greetings

Tom

Find Maximum Time Period Between Occurences of a Specified Condition

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Find Maximum Time Period Between Occurences of a Specified Condition

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers