Hi,
I have a case where I need to get the sum of values from neighboring events based on a search key.
Example:
A=abc time_taken=959
A=qwee time_taken=2
A=dsfrge time_taken=59
A=ghryh time_taken=12456
A=Ihtr time_taken=13785
A=gtrhry time_taken=24
unique_id=5872 unique_status=created.
My search is:
host=xyz source=qwerty "unique_status=created"
Now I want the output as:
some of time_taken for the above 6 events.
(959+2+59+12456+13785+24).
Is there any way to get this data..
Thanks for the input. It worked with transaction command.
query:
search|transaction startswith="abc" endswith="created"
duration gives the time between the two events.
Thanks for the input. It worked with transaction command.
query:
search|transaction startswith="abc" endswith="created"
duration gives the time between the two events.
Will it always be 6 events before the unique_status event? If yes, have you looked at streamstats http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/streamstats
.. | streamstats window=6 current=f sum(time_taken)