Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create an accumulated time difference c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create an accumulated time difference column that, upon reaching a certain value, resets to the current row's time difference?
Joni123
New Member
03-26-2015
06:01 AM
Hi,
I'm looking for a way to add an accumulated time difference column - but one that will "zero" every time it reaches a certain value (in this case, 2)
I'm looking for a command (or set of commands...) that will run automatically and offer indefinite "zeroing" events.
The current search I have is:
| sort 0 uuid _time
| streamstats current=f last(_time) as last_time by user_id session_id
| eval diff=(_time-last_time)/60
| streamstats current=t sum(diff) as accum_diff by user_id session_id
| table _time user_id session_id _time last_time diff accum_diff
And the result is:
_time |user_id|session_id|last_time | diff |accum_diff
10:35:01| 1 | 1A | | |
10:39:49| 1 | 1A |1427304901| 4.8 | 4.8
10:39:50| 1 | 1A |1427305189| 0.02 | 4.82
10:41:19| 1 | 1A |1427305190| 1.48 | 6.3
10:41:25| 1 | 1A |1427305279| 0.1 | 6.4
10:41:56| 1 | 1A |1427305285| 0.52 | 6.92
10:42:43| 1 | 1A |1427305316| 0.78 | 7.7
10:43:13| 1 | 1B | | |
10:43:52| 1 | 1B |1427305393| 0.65 | 0.65
10:43:53| 1 | 1B |1427305432| 0.02 | 0.67
10:43:55| 1 | 1B |1427305433| 0.03 | 0.7
10:44:19| 1 | 1B |1427305435| 0.4 | 1.1
10:44:23| 1 | 1B |1427305459| 0.07 | 1.17
10:44:25| 1 | 1B |1427305463| 0.03 | 1.2
10:45:13| 1 | 1B |1427305465| 0.8 | 2
08:01:13| 2 | 1B | | |
08:01:30| 2 | 2A |1427295673| 0.28 | 0.28
08:02:25| 2 | 2A |1427295690| 0.92 | 1.2
08:02:41| 2 | 2A |1427295745| 0.27 | 1.47
08:03:15| 2 | 2A |1427295761| 0.57 | 2.03
08:03:56| 2 | 2A |1427295795| 0.68 | 2.72
08:05:47| 2 | 2A |1427295836| 1.85 | 4.57
08:05:55| 2 | 2A |1427295947| 0.13 | 4.7
08:06:15| 2 | 2A |1427295955| 0.33 | 5.03
08:06:34| 2 | 2A |1427295975| 0.32 | 5.35
08:07:00| 2 | 2A |1427295994| 0.43 | 5.78
How can I zero "accum_diff" and have it accumulate "diff" once it hit 2?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vganjare
Builder
04-29-2015
01:50 AM
Hi,
You can use custom search command for getting desired result. The custom search command is a python script which will get access to all the data result. Using small python code, this functinality can be achieved. More details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/Searchscripts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vganjare
Builder
04-28-2015
12:11 AM
Can you please provide the expected output?
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Joni123
New Member
04-29-2015
12:20 AM
Yes - should look like this - when accum_diff=2, it zeros and starts the sum again in the next record:
_time |user_id|session_id|last_time | diff |accum_diff_max_2
10:35:01| 1 | 1A | | |
10:39:49| 1 | 1A |1427304901| 4.8 | 4.8
10:39:50| 1 | 1A |1427305189| 0.02 | 0.02
10:41:19| 1 | 1A |1427305190| 1.48 |1.5
10:41:25| 1 | 1A |1427305279| 0.1 | 1.6
10:41:56| 1 | 1A |1427305285| 0.52 | 2.12
10:42:43| 1 | 1A |1427305316| 0.78 | 0.78
10:43:13| 1 | 1B | | |
10:43:52| 1 | 1B |1427305393| 0.65 | 0.65
10:43:53| 1 | 1B |1427305432| 0.02 | 0.67
10:43:55| 1 | 1B |1427305433| 0.03 | 0.7
10:44:19| 1 | 1B |1427305435| 0.4 | 1.1
10:44:23| 1 | 1B |1427305459| 0.07 | 1.17
10:44:25| 1 | 1B |1427305463| 0.03 | 1.2
10:45:13| 1 | 1B |1427305465| 0.8 | 2
08:01:13| 2 | 1B | | |
08:01:30| 2 | 2A |1427295673| 0.28 | 0.28
08:02:25| 2 | 2A |1427295690| 0.92 | 1.2
08:02:41| 2 | 2A |1427295745| 0.27 | 1.47
08:03:15| 2 | 2A |1427295761| 0.57 | 2.03
08:03:56| 2 | 2A |1427295795| 0.68 | 0.68
08:05:47| 2 | 2A |1427295836| 1.85 | 2.53
08:05:55| 2 | 2A |1427295947| 0.13 | 0.13
08:06:15| 2 | 2A |1427295955| 0.33 | 0.46
08:06:34| 2 | 2A |1427295975| 0.32 | 0.78
08:07:00| 2 | 2A |1427295994| 0.43 | 1.21
Get Updates on the Splunk Community!
Fueling your curiosity with new Splunk ILT and eLearning courses
At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...
Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...
Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...
Unleash Unified Security and Observability with Splunk Cloud Platform
Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
