Splunk Search

Make a slippery transaction within 20 events, how do I calculate the duration between the 1st and 20th event, 2nd and 21st, etc?

Explorer

Hello all,

I'm trying to make a slippery transaction within 20 events.
For example, my search return 40 events and I need to calculate the duration between:
the first event and the twentieth,
the second and the twenty first,
the third and the twenty second
etc...

With this:

transaction Routed maxevents=20 mvlist=t

Splunk only calculates 2 durations: between the first event and the twentieth, and the twenty first and the fortieth.

Please HELPPP 🙂

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

If you're only looking for the duration you can use this:

index=foo sourcetype=bar Routed=* | streamstats window=20 global=f range(_time) as duration by Routed

Note, the first nineteen events may compute the duration between 1 and 1, 1 and 2, ..., 1 and 19.

View solution in original post

SplunkTrust
SplunkTrust

If you're only looking for the duration you can use this:

index=foo sourcetype=bar Routed=* | streamstats window=20 global=f range(_time) as duration by Routed

Note, the first nineteen events may compute the duration between 1 and 1, 1 and 2, ..., 1 and 19.

View solution in original post

Explorer

Thanks a lot, perfectly doing what I want 🙂
I used:
where row >20
to remove the twenty first events

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!