Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate Rolling Summation

David
Splunk Employee
Splunk Employee
‎11-04-2010 09:41 PM

I have a set of data that has one event for ever second, with a field for the number of simultaneous phone calls going on each second. (Here is more background.) E.g.:

   Time                       Concurrency
10/25/2010 00:00:00    0
10/25/2010 00:00:01    0
10/25/2010 00:00:02    0
10/25/2010 00:00:03    0
....
10/25/2010 13:01:01    7
10/25/2010 13:01:02    8
10/25/2010 13:01:03    8

What I want to get out of the data is what is the 60 minute period of time with the highest sum(Concurrency). Looking simply, I could do a | stats sum(Concurrency) as HourlySum by date_hour | stats max(HourlySum). The only problem there is that it cuts the window directly along 00:00-59:59 minute periods. If the busiest period of time is 13:22:00-14:21:59, it wouldn't be properly represented.

Is there any way to do a rolling average, so I could get the data I need out of it?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-19-2010 12:14 AM

Here's your search: 

<your search> | bucket _time span=1min | streamstats sum(Concurrency) as rollingSum window=60 | sort - rollingSum

The bucket will normalize all the data to minute boundaries. Essentially it just throws away the seconds and subseconds values.

Then the streamstats command just keeps a rolling sum of the past 60 rows (including the current row).

Then just sort descending on rollingSum and that's your busiest 60 minute period.

some references:

http://www.splunk.com/base/Documentation/latest/SearchReference/Streamstats

http://www.splunk.com/base/Documentation/latest/SearchReference/Bucket

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-19-2010 12:14 AM

Here's your search: 

<your search> | bucket _time span=1min | streamstats sum(Concurrency) as rollingSum window=60 | sort - rollingSum

The bucket will normalize all the data to minute boundaries. Essentially it just throws away the seconds and subseconds values.

Then the streamstats command just keeps a rolling sum of the past 60 rows (including the current row).

Then just sort descending on rollingSum and that's your busiest 60 minute period.

some references:

http://www.splunk.com/base/Documentation/latest/SearchReference/Streamstats

http://www.splunk.com/base/Documentation/latest/SearchReference/Bucket

Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎11-19-2010 05:48 PM

Huzzah! That solved it! Thanks, sir.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...