Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to handle streamstats / delta assigning a 'zero' to the first row?

AlexBryant
Path Finder
‎07-27-2018 07:26 AM

My query is returning the total number of bytes received by various IP addresses at different points in epoch time. I'm using a combination of sort, streamstats, and delta to show how many ADDITIONAL bytes have been received since the last record, for a given IP address. So the data for a given IP address would be:

epoch_time; IP_address; delta_bytes_received
1000; 192.168.100.1; 0
1005; 192.168.100.1; 600
1008; 192.168.100.1; 70
1018; 192.168.100.1; 0
1021; 192.168.100.1; 223

The problem is that for each IP address's group of records, the delta for the first record shows up as zero since there is no previous record to 'delta' against. So when I run avg() and stdev() on the deltas (which is the end goal), there's always an unnecessary zero in the mix that skews the statistics. I tried assigning all zero-value deltas to 'null', but not only does that remove some valid 'zero' entries (like row number 4 above), the statistics are still generated based on the number of rows received, whether null or not, again skewing the results.

Is there a way for me to remove the first record for each IP address?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-27-2018 10:52 AM

Do something like | streamstats count as remove_me by ip | where NOT remove_me=1 before doing you calculations - that will remove the first instance of each ip

View solution in original post

Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-27-2018 10:52 AM

Do something like | streamstats count as remove_me by ip | where NOT remove_me=1 before doing you calculations - that will remove the first instance of each ip

Reply
Solved! Jump to solution

AlexBryant
Path Finder
‎07-27-2018 11:07 AM

Simple and works perfectly - thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...