Solved: Finding Timings Between Multiple Events

Razziq · ‎03-09-2021

Hello,

I am trying to find the timings between multiple calls under the same extracted field of InterchangeId. When using streamstats range(_time), I get the timing between the calls, however the first call in order of time has the total time and the last call has a 0 value. I am trying to determine how long it takes between each call in the correct order without it aggregating one of the calls to the total timing value.

Below is a screenshot of the results as well as the search. I appreciate any help with this!

richgalloway · ‎03-09-2021

Use the window option of streamstats to limit the range calculation to the current row and the previous row.

| streamstats window=1 range(_time) as Difference by InterchangeID

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-09-2021

Use the window option of streamstats to limit the range calculation to the current row and the previous row.

| streamstats window=1 range(_time) as Difference by InterchangeID

---
If this reply helps you, Karma would be appreciated.

Razziq · ‎03-09-2021

@richgalloway Thank you! I was able to add window=2 to the search and verified that the timings look accurate after finding the total time and checking against each individual row's timing. For some reason window=1 resulted in all 0 results, but 2 worked as expected. Thanks again!

Finding Timings Between Multiple Events

chart

Developer Spotlight with Paul Stout

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...