Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate interval sum for repeated event pairs

CatherineLiu007
Explorer
‎04-16-2015 11:23 AM

Hi, I'm a Splunk newbie. Can anyone help me with this. Thanks.

For the following events, I need to calculate the sum of time interval used for stepA to stepB. So it should be (TimeStamp3 - TimeStamp2) + (TimeStamp5 - TimeStamp4) + (TimeStamp7-TimeStamp6).

TimeStamp1 Step=stepStart, Tid=1111
TimeStamp2 Step=stepA, Tid=1111
TimeStamp3 Step=stepB, Tid=1111
TimeStamp4 Step=stepA, Tid=1111
TimeStamp5 Step=stepB, Tid=1111
TimeStamp6 Step=stepA, Tid=1111
TimeStamp7 Step=stepB, Tid=1111
TimeStamp8 Step=stepEnd, Tid=1111

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎04-16-2015 12:28 PM

Give this a try (change the field name as applicable)

your base search | sort 0 Tid Timestamp | streamstats current=f window=1 first(Timestamp) as prev | eval StepABDuration=if(Step="stepB", Timestamp-prev,0) | stats min(Timestamp) as start max(Timestamp) as max sum(StepABDuration) as StepABDuration by Tid | eval StepDuration=max-min | table Tid, StepDuration, StepABDuration
Reply

CatherineLiu007
Explorer
‎04-17-2015 06:31 AM

Thanks so much for your help. I'm getting 'Error in 'streamstats' command: The argument ' ' is invalid. Is it because I tried to sum up two different event pairs?

TimeStamp1 Step=stepStart, Tid=1111
TimeStamp2 Step=stepA, Tid=1111
TimeStamp3 Step=stepB, Tid=1111
TimeStamp4 Step=stepC, Tid=1111
TimeStamp5 Step=stepD, Tid=1111
TimeStamp6 Step=stepA, Tid=1111
TimeStamp7 Step=stepB, Tid=1111
TimeStamp9 Step=stepA, Tid=1111
TimeStamp10 Step=stepB, Tid=1111
TimeStamp11 Step=stepC, Tid=1111
TimeStamp12 Step=stepD, Tid=1111
TimeStamp13 Step=stepEnd, Tid=1111

| eval TotalTime = duration
| sort 0 TimeStamp

| streamstats current=f window=1 first(TimeStamp) as prev 
| eval stepABDuration=if(Step="stepB", Timestamp-prev,0) 
| eval stepCDDuration=if(Step="stepD", TimeStamp-prev,0) 

| stats sum(stepABDuration) as stepABDuration by Tid 
| stats sum(stepCDDuration) as stepCDDuration by Tid 

| transaction TId 

| table Tid, TotalTime, stepABDuration, stepCDDuration
0 Karma
Reply

somesoni2
Revered Legend
‎04-16-2015 11:33 AM

Will there be any other steps in between stepA and stepB?

0 Karma
Reply

CatherineLiu007
Explorer
‎04-16-2015 11:57 AM

There will not be any other steps between stepA and stepB. But there may be other steps between stepStart and stepEnd. Thanks.

0 Karma
Reply

somesoni2
Revered Legend
‎04-16-2015 12:12 PM

Ok. One last thing, what would be the final output? mention all the fields that you want.

0 Karma
Reply

CatherineLiu007
Explorer
‎04-16-2015 12:16 PM

Final output will include Tid, duration for stepStart to stepEnd, sum of all stepA to stepB. Thanks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...