How to get time difference between consecutive eve...

martaBenedetti · ‎08-01-2023

Hi,

I need to plot time difference between consecutive events by sourcetype in the last 7 days.

I'm using this search but it's slow for a dashboard

index=myindex sourcetype=(sourcetype1, sourcetype,sourcetype3)
| streamstats windwos=2 global=f range(_time) as delta by sourcetype
| timechart max(range) as "delta [sec]" by sourcetype

do you have any suggestion for a more efficient search?

Thank you,

Marta

ITWhisperer · ‎08-01-2023

You could try using metasearch since you are only really dealing with meta-data

Another possibility is to schedule a regular report to save this data to a summary index and use the summary index for your dashboard

Or do both of these.

The caveat to summary indexes, is that you might want to ensure that your reports are overlapping so that you don't miss an interval but also make the updates idempotent so you don't end up double counting.

How to get time difference between consecutive events by sourcetype during 7 days?

chart

stats

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation