I have event data in below format:
Sep 15 2017 07:06:07 app=yahoo dataconsumed=50 Sep 15 2017 08:16:07 app=skype dataconsumed=150 Sep 14 2017 10:26:07 app=facebook dataconsumed=10 Sep 14 2017 12:26:07 app=facebook dataconsumed=5 Sep 13 2017 7:26:07 app=yahoo dataconsumed=10 Sep 13 2017 9:26:07 app=skype dataconsumed=50 Sep 12 2017 3:26:07 app=facebook dataconsumed=80 Sep 12 2017 1:26:07 app=facebook dataconsumed=0
How should I perform the following tasks:
Then after splitting events into two halves, I must sum dataconsumed by app in both halves(events split by time) i.e
firsthalf yahoo 50
secondhalf yahoo 10
Find difference between total_dataconsumed by app using firsthalf and secondhalf i.e firsthalf - secindhalf
I am still stuck on step 1, I don't seem to understand how should one split the search events into halves/spans and apply stats on both halves?
There may be an easier way to do this, but you could try..
| eventstats min(_time) as startTime, range(_time) as timeElapsed | eval halfwayMark=startTime+(timeElapsed/2) | eval series=if(_time<halfwayMark, "firstHalf", "secondHalf") | chart sum(usage) by app, series | eval diff=firstHalf-secondHalf
Thanks @jluo [Splunk], but I still can not get a difference between both halves.
...|eval diff=firstHalf-secondHalf does not do anything.
Your Base Search Here | addinfo | eval time=if((_time <= (now()-(if(isnum(info_max_time), info_max_time, now()) - info_min_time)/2)), "firsthalf", "secondhalf") | stats sum(dataconsumed) AS total_dataconsumed BY app time