Retrieve events grouped by event order (first 5, n...

dawfun · ‎07-05-2013

I have no clue how to do this. I've tried autoregress, and I expect it shoudl work, but I end up with gaps in the new field...the original field is continuous.

What I want to do is get stats on the most recent 5 events in my search, and then grab the same stats for the previous 5 events. I can get something close if I do it on a time-basis, but I really want to do this on a event-basis. What I'd like to do is retrieve 10 events in my search (not hard to do) then operate on the first 5 and the last 5 as two distinct groupings of values.

Any ideas?

martin_mueller · ‎07-05-2013

In order to split a call to stats by groups of five events you could do something like this:

your search pipeline that yields a multiple of five events | streamstats current=f count as segment | eval segment = floor(segment / 5) | stats foo(bar) by segment

The field segment will be 0 for the first five events, 1 for the second five, and so on.

dawfun · ‎07-05-2013

I'll give that a shot. Thanks.

dawfun · ‎07-05-2013

I figured out the gaps issue with auto regress (sorting, duh). Still looking for a solution.

Retrieve events grouped by event order (first 5, next 5, etc...)

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!