Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How handle time-based join with streamstats

kwalking
New Member
‎06-24-2015 12:46 PM

I have 2 sets of events, 1 for registration events, and 1 for host state events. There is a common field between the 2 sets of events which is the host. In the individual registration events, I need to know what the last known state for the host is so I can keep a running total of the number of registrations that have occurred. For certain states, the count should get reset.

For the last part, I know I'll need to create a field using eval to say what the increment/decrement value for the total is and then do a streamstats based upon the host name and state but correlating those values into the registration events has proven complicated.

Any thoughts as to how to do this?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-26-2015 09:31 AM

This should get you started:

sourcetype=registration OR sourcetype=status | eventstats latest(state) AS finalState BY host | streamstats current=t last(state) AS currentState by host | stats count(eval(sourcetype=registration AND currentState="RUNNING")) by host
0 Karma
Reply

kwalking
New Member
‎06-24-2015 02:09 PM

Rather, not just should certain states reset the count, but the registrations should only be counted while the host is in the 'RUNNING' state.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...