How handle time-based join with streamstats

kwalking · ‎06-24-2015

I have 2 sets of events, 1 for registration events, and 1 for host state events. There is a common field between the 2 sets of events which is the host. In the individual registration events, I need to know what the last known state for the host is so I can keep a running total of the number of registrations that have occurred. For certain states, the count should get reset.

For the last part, I know I'll need to create a field using eval to say what the increment/decrement value for the total is and then do a streamstats based upon the host name and state but correlating those values into the registration events has proven complicated.

Any thoughts as to how to do this?

woodcock · ‎06-26-2015

This should get you started:

sourcetype=registration OR sourcetype=status | eventstats latest(state) AS finalState BY host | streamstats current=t last(state) AS currentState by host | stats count(eval(sourcetype=registration AND currentState="RUNNING")) by host

kwalking · ‎06-24-2015

Rather, not just should certain states reset the count, but the registrations should only be counted while the host is in the 'RUNNING' state.

How handle time-based join with streamstats

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability