Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Relative time and stats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a somewhat complicated question about how the now() method applies in the context of stats.
I have a splunk search to weed out accounts with no transactions in the last 24 hours
I am using now() to determine a cutoff date for weeding out those accounts.
lastTransactionProcessed is provided as a field by sourcetype="banklog" and is always populated
sourcetype="banklog" | eval cutOffTime=relative_time(now(),"-48h") | where lastTransactionProcessed>cutOffTime | dedup accountNum | table accountNum
The above query works as expected which is great.
The problem is that I am expected to create a trend (using stats) for the last 4 days for this search and when I get now() involved with stats (see below), things dont work out as I hoped.
sourcetype="banklog" | eval cutOffTime=relative_time(now(),"-48h") | where lastTransactionProcessed>cutOffTime | bucket span=1d _time | dedup accountNum _time | eval target=15 | eventstats dc(accountNum) as "successCount" | eval failures=target-successCount | stats first(target) as Target, c(successCount) as Success by _time | eval failures=15-Success
I am interested in simply plotting success versus failure here and I schedule the time interval for this search for -4d@d to now.
I only get results for one day (which is the last 24 hours).
Any clues so as to what I might be doing wrong here ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are working with 4 different time fields, yes?
now() is the time that this search started
cutOffTime is 48 hours before this search started
lastTransactionProcessed is found in the event
_time is the timestamp of the event
Your where command is cutting off a number of events.
I might have done it like this instead
sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| stats count by accountNum accountStatus _time
My stats command is probably wrong, but I am having difficulty figuring out what target means, as well as the definition of success or failure. You could also
sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| dedup accountNum accountStatus
| stats count by accountStatus _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are working with 4 different time fields, yes?
now() is the time that this search started
cutOffTime is 48 hours before this search started
lastTransactionProcessed is found in the event
_time is the timestamp of the event
Your where command is cutting off a number of events.
I might have done it like this instead
sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| stats count by accountNum accountStatus _time
My stats command is probably wrong, but I am having difficulty figuring out what target means, as well as the definition of success or failure. You could also
sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| dedup accountNum accountStatus
| stats count by accountStatus _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the Target number of transactions is 15 - we want to see that as a steady constant in the graph, the rest should be active and inactive.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can there be only 15 transactions total? This is very unclear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am indeed working with four different time fields.
The Target is a constant value (15 = represents the total number of transactions that occur).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
