Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get max number of hours without events

vl951f
Path Finder
‎05-21-2021 12:40 PM

I have a summary index for hourly event count of a feed. The feed has some hours with event count empty. How can I get the max number of hours with no event.
In the following example, the max number of hours without event is 3.
Time                Hourly Event Count
hour 01:00   235
hour 02:00
hour 03:00
hour 04:00   67
hour 05:00
hour 06:00   43
hour 07:00
hour 08:00
hour 09:00
hour 10:00   87

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎05-21-2021 05:02 PM

 

| search mycount!=0
| delta _time as mydelta
| eval number_of_zeros=floor(mydelta/3600.00)-1
| stats max(number_of_zeros)

 

 

If you have a field called mycount which is your the hourly count, you can
1. search for all the non zero counts
2. take the delta in the time periods 
3. compute the number of zeros as the delta - 1 (e.g. 6 -> 10 is 4 but there are really 3 zeros in between) divided by number of seconds in an hour (3600)
4. compute the max of this count of number of zeros

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎05-21-2021 05:02 PM

 

| search mycount!=0
| delta _time as mydelta
| eval number_of_zeros=floor(mydelta/3600.00)-1
| stats max(number_of_zeros)

 

 

If you have a field called mycount which is your the hourly count, you can
1. search for all the non zero counts
2. take the delta in the time periods 
3. compute the number of zeros as the delta - 1 (e.g. 6 -> 10 is 4 but there are really 3 zeros in between) divided by number of seconds in an hour (3600)
4. compute the max of this count of number of zeros

0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎05-24-2021 07:41 AM

I got it work for one feed index. How can I get it work for all feedindex?

I tried the following, it didn't work.

feed_index=* | stats sum(hourly_count) as event_count by _time,feed_index | search event_count!=0 | delta _time as mydelta | eval number_of_zeros=floor(mydelta/3600.00)-1 | stats max(number_of_zeros) by feed_index

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎05-24-2021 09:58 AM

Did you mean to write

 

index=feed_index

Not sure what you question means.

0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎05-24-2021 10:03 AM

I'm working with my summary index. feed_index is the same as index in my summary index.

0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎05-24-2021 10:10 AM

You can think the search is:

index=* | stats sum(hourly_count) as event_count by _time,index | search event_count!=0 | delta _time as mydelta | eval number_of_zeros=floor(mydelta/3600.00)-1 | stats max(number_of_zeros) by index

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎05-25-2021 08:35 AM

Seems reasonable although it's always better if you can avoid index=*. Maybe all your summary indexes have the string summary in them?

Did your search work?

0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎05-22-2021 08:35 PM

Works like a charm! Thank you so much!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...