Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Relative time and stats

asarolkar
Builder
‎12-13-2012 11:24 AM

I have a somewhat complicated question about how the now() method applies in the context of stats.




I have a splunk search to weed out accounts with no transactions in the last 24 hours
I am using now() to determine a cutoff date for weeding out those accounts.
lastTransactionProcessed is provided as a field by sourcetype="banklog" and is always populated

sourcetype="banklog" | eval cutOffTime=relative_time(now(),"-48h") | where lastTransactionProcessed>cutOffTime |  dedup accountNum | table accountNum

The above query works as expected which is great.




The problem is that I am expected to create a trend (using stats) for the last 4 days for this search and when I get now() involved with stats (see below), things dont work out as I hoped.

sourcetype="banklog" | eval cutOffTime=relative_time(now(),"-48h") | where lastTransactionProcessed>cutOffTime | bucket span=1d _time | dedup accountNum _time | eval target=15 | eventstats dc(accountNum) as "successCount" | eval failures=target-successCount | stats first(target) as Target, c(successCount) as Success by _time | eval failures=15-Success

I am interested in simply plotting success versus failure here and I schedule the time interval for this search for -4d@d to now.

I only get results for one day (which is the last 24 hours).

Any clues so as to what I might be doing wrong here ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-13-2012 01:29 PM

You are working with 4 different time fields, yes?

now() is the time that this search started

cutOffTime is 48 hours before this search started

lastTransactionProcessed is found in the event

_time is the timestamp of the event

Your where command is cutting off a number of events.
I might have done it like this instead

sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| stats count by accountNum accountStatus _time

My stats command is probably wrong, but I am having difficulty figuring out what target means, as well as the definition of success or failure. You could also

sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| dedup accountNum accountStatus
| stats count by accountStatus _time

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-13-2012 01:29 PM

You are working with 4 different time fields, yes?

now() is the time that this search started

cutOffTime is 48 hours before this search started

lastTransactionProcessed is found in the event

_time is the timestamp of the event

Your where command is cutting off a number of events.
I might have done it like this instead

sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| stats count by accountNum accountStatus _time

My stats command is probably wrong, but I am having difficulty figuring out what target means, as well as the definition of success or failure. You could also

sourcetype=banklog
| eval accountStatus = if(lastTransactionProcessed > relative_time(_time,"-48h"),"Active","Inactive")
| bucket _time span=1d
| dedup accountNum accountStatus
| stats count by accountStatus _time
Reply
Solved! Jump to solution

asarolkar
Builder
‎12-13-2012 02:16 PM

So the Target number of transactions is 15 - we want to see that as a steady constant in the graph, the rest should be active and inactive.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-13-2012 01:37 PM

How can there be only 15 transactions total? This is very unclear.

0 Karma
Reply
Solved! Jump to solution

asarolkar
Builder
‎12-13-2012 01:35 PM

I am indeed working with four different time fields.

The Target is a constant value (15 = represents the total number of transactions that occur).

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...