Hi,

I am trying to compute statistics about the Splunk data. To do so, I've got a datamodel with the number of events per host/sourcetype for each hour.

So I can query it this way:

| tstats  count from datamodel="Splunk_Stats" where nodename="Host.Host_Per_Hour" Host.orig_host="*" Host.orig_sourcetype="*" AND earliest=-31d latest=@h by Host.orig_host,Host.orig_sourcetype,_time span=1h
| rename Host.orig_host AS orig_host, Host.orig_sourcetype AS orig_sourcetype

This works but then, I want to compute the range (difference between 2 successive values) of _time for each host/sourcetype.
So I add:

... | streamstats global=false window=2 range(_time) AS r_time by orig_host, orig_sourcetype  

I do global=false and window=2, because, from my understanding, it will make Splunk compute the range for every two successive values for each individual host/sourcetype couple.

For example:

sourcetype      _time
A                today
B                today
A                2 days ago
A                3 days ago
A                4 days ago

So the streamstats commands adds:

sourcetype      _time            r_time
A                today           0
B                today           0
A                2 days ago      2
A                3 days ago      1
A                4 days ago      1

Now, when I do this, it works if I filter down to a specific source type in my tstats command. But when there are several (a lot of) source types all mixed together (because I don't filter), the streamstats command does not compute the range and there is no r_time column...

Any idea how to make it work?