Splunk Search

Is there a streamstats function that will show a running result of each value in a row being multiplied by the result above?

Amohlmann
Communicator

I have a search that returns the survival rate over time. For instance:

Time                SurvivalRate     
1                        0.98                    
2                        0.96                     
3                        0.65
4                        1
.                          .
.                          .
.                          .

I would like to show a running survival rate that is like streamstats sum(survivalRate), but instead of adding the numbers in each new line, it multiplies it. So it would return something like this:

Time                SurvivalRate     RunningSurvivalRate
1                        0.98                    0.98
2                        0.96                    0.9408 (0.98 * 0.96)
3                        0.65                    0.61152 (0.9408 * 0.65)
4                        1                       0.61125 (0.61152 * 1)
.                          .
.                          .
.                          .

Am I using the wrong tool for this job? Is there a streamstats function that I am ignorant of?
Thanks for the assistance.

Tags (3)
0 Karma

Richfez
SplunkTrust
SplunkTrust

I believe you'll want to use the "window=2" parameter to streamstats, then calculate using first(SurvivalRate) and last(RunningSurvivalRate).

Something like this:

(search that returns the above results) 
| streamstats window=2 last(SurvivalRate) as old_value first(RunningSurvivalRate) as new_value 
| eval RunningSurvivalRate=old_value*new_value

Obviously you'll probably have to tweak that, especially with regards to which item is first and which is last because I always get those mixed up.

Amohlmann
Communicator

That is a really good start but not quite perfect.
I think a slightly better start is to use:
| streamstats list(survivalRate)

Is there a way to multiply all the different values in a multivalue field?

0 Karma

Amohlmann
Communicator

Thanks, it is almost there, I now have access to the previous result, but not the previous result of the runningSurvivalRate.

I will have a play using this when I get a chance. You really helped. Thanks

0 Karma

ppablo
Retired

Hi @Amohlmann

Once you come up with a final search, would you be able to share that here? I think other users would find the solution useful.

0 Karma

Amohlmann
Communicator

I absolutely will. I marked this answer as correct as it gave me what I was looking for which was a new way to use streamstats.

I should be able to do a few tweaks later on today.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...