Find Time between events, including current Time.

jrnastase · ‎08-22-2018

Hello all,

I've seen examples of how to find time between events using streamstats, and also to find the time since the most recent event using stats, but how would I accomplish doing both?

Ultimately I'm trying to detect a loss of information that's reported every 10 minutes, so I'm using streamstats to search for differences of > 10 min, however this "outage" isn't detected until after the data is reported again, thus giving streamstats two items to actually compare. I need all of these deltas, and also the time since the most recent as occurred.

Thanks, and here's some code I have:

search

| streamstats current=t last(_time) as last_time by field 
| eval outage= last_time - _time
| eval outage=tostring(outage, "duration")
| table field _time outage

somesoni2 · ‎08-22-2018

Give this a try

search
| streamstats window=1 current=f values(_time) as last_time by field 
| eval last_time=if(isnull(last_time),now(),last_time)
| eval outage= abs(last_time - _time)
| where outage>600
| eval outage=tostring(outage, "duration")
| table field _time outage

Find Time between events, including current Time.

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Application management with Targeted Application Install for Victoria Experience

Join the Conversation

Find Time between events, including current Time.

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Application management with Targeted Application Install for Victoria Experience