Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate Rolling Summation

David
Splunk Employee
Splunk Employee
‎11-04-2010 09:41 PM

I have a set of data that has one event for ever second, with a field for the number of simultaneous phone calls going on each second. (Here is more background.) E.g.:

   Time                       Concurrency
10/25/2010 00:00:00    0
10/25/2010 00:00:01    0
10/25/2010 00:00:02    0
10/25/2010 00:00:03    0
....
10/25/2010 13:01:01    7
10/25/2010 13:01:02    8
10/25/2010 13:01:03    8

What I want to get out of the data is what is the 60 minute period of time with the highest sum(Concurrency). Looking simply, I could do a | stats sum(Concurrency) as HourlySum by date_hour | stats max(HourlySum). The only problem there is that it cuts the window directly along 00:00-59:59 minute periods. If the busiest period of time is 13:22:00-14:21:59, it wouldn't be properly represented.

Is there any way to do a rolling average, so I could get the data I need out of it?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-19-2010 12:14 AM

Here's your search: 

<your search> | bucket _time span=1min | streamstats sum(Concurrency) as rollingSum window=60 | sort - rollingSum

The bucket will normalize all the data to minute boundaries. Essentially it just throws away the seconds and subseconds values.

Then the streamstats command just keeps a rolling sum of the past 60 rows (including the current row).

Then just sort descending on rollingSum and that's your busiest 60 minute period.

some references:

http://www.splunk.com/base/Documentation/latest/SearchReference/Streamstats

http://www.splunk.com/base/Documentation/latest/SearchReference/Bucket

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-19-2010 12:14 AM

Here's your search: 

<your search> | bucket _time span=1min | streamstats sum(Concurrency) as rollingSum window=60 | sort - rollingSum

The bucket will normalize all the data to minute boundaries. Essentially it just throws away the seconds and subseconds values.

Then the streamstats command just keeps a rolling sum of the past 60 rows (including the current row).

Then just sort descending on rollingSum and that's your busiest 60 minute period.

some references:

http://www.splunk.com/base/Documentation/latest/SearchReference/Streamstats

http://www.splunk.com/base/Documentation/latest/SearchReference/Bucket

Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎11-19-2010 05:48 PM

Huzzah! That solved it! Thanks, sir.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...