Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my search to get the sum event counts within a 4 minute window?

clorne
Communicator
‎09-27-2015 04:08 AM

Hello,

I have the following data (this is the result of a transaction):

Date          Hour          Paypload     event count     SumCountDuring4Minutes
2015-01-01    13-21-112     azearzer     4
2015-01-01    13-21-008     azearzer     1
2015-01-01    13-22-220     azearzer     2
2015-01-01    13-23-100     azearzer     1
2015-01-01    13-31-100     azearzer     3

(I enclosed a more readable image of the log)

I need to have the sum of eventcount in a 4 minute window. I have seen that the streamstats function can use a window with a number of events. In my case, dealing with events has no meaning since the events may occur after 10 minutes of inactivity.

So in a perfect world, I would like to do simply:

transaction Data Payload | streamstats sum(eventcount) window=4m as SumCountDuring4Minutes

or in an other perfect world

transaction Data Payload | streamstats sum(eventcount) start=Hour end=Hour+4m  as SumCountDuring4Minutes

I have understood that this is not possible with the current implementation of streamstats because the argument windows takes a number of event.
I have very little "SPLUNK knowledge" and I do not see an other way to perform that.
I read about the bucket command, but I am not sure that grouping event by time with allow me to get the SumCountDuring4Minutes per event. My understanding is that I would get a SumCountDuring4Minutes every 4 minutes.

Regards

Preview file
1 KB
0 Karma
Reply

clorne
Communicator
‎10-20-2015 02:04 AM

Hello ppablo,
I enclose my image in this answer. On my side it is displayed correctly in my browser as it was also the previous times.
Last times the url adress was : https://answers.splunk.com/storage/temp/65197-log-slidingsum.png
After a fews days, the image is not displayed any more in my browser.
And I have the feeling that I have been the only one to be able to see this image in my answer.
This time the image is here:/storage/temp/65254-log-slidingsum.png

Regards

alt text

Preview file
1 KB
0 Karma
Reply

MuS
Legend
‎09-27-2015 05:38 PM

Hi clorne,

if I get you correct, you can use stats and bucket to get what you want.
Perfect world example 1:

 transaction Data Payload | bucket _time span=4min | stats sum(eventcount) AS SumCountDuring4Minutes BY _time

or in an other perfect world example 2:

 transaction Data Payload earliest=-64min latest=-60min | stats sum(eventcount) AS SumCountDuring4Minutes

Example 1 will return sum over 4 minutes, but based on the time range of your base search. If the time range is more than 4 minutes you will get multiple sum.
Example 2 will return one sum over 4 minutes one hour ago.

Hope this helps and makes some sense ...

cheers, MuS

0 Karma
Reply

clorne
Communicator
‎10-18-2015 11:49 PM

Hello, For some reason, I am able to upload the image and it is displayed during a few days.
After 4-5 days, I receive an email saying that this I have updated the answer and when I look my imlage has been removed.

Splunk administrator ?Am I authorized to upload an image ?

Regards

0 Karma
Reply

ppablo
Retired
‎10-19-2015 09:53 PM

Hi @clorne

You posted the image as an answer originally, so I just converted it to a comment under @MuS's answer. Your image hasn't been removed. Do you not see the image in your comment above? I see an image with columns hour, payload, eventcount, SumEventCountDuring4Minutes, and Time interval used for the sum. Is that the image you're talking about?

0 Karma
Reply

clorne
Communicator
‎10-14-2015 12:04 AM

Here is the image again:

alt text

0 Karma
Reply

clorne
Communicator
‎10-05-2015 01:54 AM

Hello MuS,
I created a new log sample in order to explain better the calculation I want to perform.!

alt text

In the blue column is what I want to get => a sum during 4 minutes for each event
In the pink column is the interval time ( 4 minutes).

Regards

0 Karma
Reply

MuS
Legend
‎10-13-2015 12:31 PM

Hi clorne, the image is broken or missing

0 Karma
Reply

clorne
Communicator
‎10-01-2015 07:12 AM

Hello Mus,

Thanks for your reply. I tested your suggestion; Unfortunately, I encountered what I was thinking.
There is a sum that is calculated every 4 minutes and not every event during 4 minutes.
Therefore for exemple, when I have 100 events to process, I got only 80 sums

I really think that is a limitation of Splunk today.

0 Karma
Reply

MuS
Legend
‎10-01-2015 12:29 PM

I'm still not 100% clear what you expect as result....
Have you tried head ?

transaction Data Payload | head limit=100 | stats sum(eventcount) AS SumCountDuring4Minutes

This will limit the result to 100 events...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...