Hi,
Thanks upfront for your time. I need to aggregate some information with the tstats command and make a weekly comparative analysis.
The search I created is working if i pick parameters, however, it doesn't if I don't give any parameters due to nature of |streamstats.
| tstats avg(elapsed) as avgElapsed where host="A" index="X" sourcetype="Y" ID="Z" by _time, host,ID span=1week
| eval myval = host."-".ID
| stats sum(count) as count latest(avgElapsed) as avgElapsed by _time,myval
| streamstats current=f window=1 latest(avgElapsed) as prev_elapsed
Logically, I would expect adding "by" clause to the streamstats command should get me what I need. However, it is not returning results for previous weeks when I do that. It only works on a row by row basis, which points to another ID or host in the data sometimes:
| streamstats current=f window=1 latest(avgElapsed) as prev_elapsed by myval
Please help me out. Kind regards
Give this a try
| tstats avg(elapsed) as avgElapsed where host="A" index="X" sourcetype="Y" ID="Z" by _time, host,ID span=1week
| eval myval = host."-".ID
| stats sum(count) as count latest(avgElapsed) as avgElapsed by myval _time
| streamstats current=f window=1 latest(avgElapsed) as prev_elapsed by myval
Give this a try
| tstats avg(elapsed) as avgElapsed where host="A" index="X" sourcetype="Y" ID="Z" by _time, host,ID span=1week
| eval myval = host."-".ID
| stats sum(count) as count latest(avgElapsed) as avgElapsed by myval _time
| streamstats current=f window=1 latest(avgElapsed) as prev_elapsed by myval
@akocak,
Sorry if mistaken but if you are trying to bring value from previous row to current row, then try using last
instead of latest
in streamstats.