Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How handle time-based join with streamstats

kwalking
New Member
‎06-24-2015 12:46 PM

I have 2 sets of events, 1 for registration events, and 1 for host state events. There is a common field between the 2 sets of events which is the host. In the individual registration events, I need to know what the last known state for the host is so I can keep a running total of the number of registrations that have occurred. For certain states, the count should get reset.

For the last part, I know I'll need to create a field using eval to say what the increment/decrement value for the total is and then do a streamstats based upon the host name and state but correlating those values into the registration events has proven complicated.

Any thoughts as to how to do this?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-26-2015 09:31 AM

This should get you started:

sourcetype=registration OR sourcetype=status | eventstats latest(state) AS finalState BY host | streamstats current=t last(state) AS currentState by host | stats count(eval(sourcetype=registration AND currentState="RUNNING")) by host
0 Karma
Reply

kwalking
New Member
‎06-24-2015 02:09 PM

Rather, not just should certain states reset the count, but the registrations should only be counted while the host is in the 'RUNNING' state.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...