Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How handle time-based join with streamstats

kwalking
New Member
‎06-24-2015 12:46 PM

I have 2 sets of events, 1 for registration events, and 1 for host state events. There is a common field between the 2 sets of events which is the host. In the individual registration events, I need to know what the last known state for the host is so I can keep a running total of the number of registrations that have occurred. For certain states, the count should get reset.

For the last part, I know I'll need to create a field using eval to say what the increment/decrement value for the total is and then do a streamstats based upon the host name and state but correlating those values into the registration events has proven complicated.

Any thoughts as to how to do this?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-26-2015 09:31 AM

This should get you started:

sourcetype=registration OR sourcetype=status | eventstats latest(state) AS finalState BY host | streamstats current=t last(state) AS currentState by host | stats count(eval(sourcetype=registration AND currentState="RUNNING")) by host
0 Karma
Reply

kwalking
New Member
‎06-24-2015 02:09 PM

Rather, not just should certain states reset the count, but the registrations should only be counted while the host is in the 'RUNNING' state.

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...