Splunk Search

Spread a value over a variable duration

enenkey
Loves-to-Learn

I have several events that are structured like this:

2020-09-28T15:18:40Z duration=8.0 somevalue=42 otherfield=A
2020-09-28T15:18:45Z duration=2.0 somevalue=10 otherfield=B
2020-09-28T15:18:44Z duration=2.0 somevalue=10 otherfield=B

Here "duration" is in seconds.
I would like to transform those events to a  kind of timechart by spreading the "somevalue" on the "duration" starting from the "_time" of the event. The span would be 1second for example.
Another condition, is to be able to aggregate on "otherfield".

I'm expecting something like this:

_timesum(somevalue) otherfield=A sum(somevalue) otherfield=B
2020-09-28T15:18:40Z420
2020-09-28T15:18:41Z420
2020-09-28T15:18:42Z420
2020-09-28T15:18:43Z420
2020-09-28T15:18:44Z

42

10
2020-09-28T15:18:45Z4220
2020-09-28T15:18:46Z4210
2020-09-28T15:18:47Z420
2020-09-28T15:18:48Z420
2020-09-28T15:18:49Z
00

 

I tried to use the "concurrency" function but was not able to get the values spread on several intervals (only a value for the _time of the event).

 

Labels (1)
Tags (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I came up with a solution to a similar problem here 

In essence, what I did was duplicate each event for each time unit the original event was active (days in the original question, but could easily be seconds in your case). This was done using the makecontinuous command, having first set up a field with the running total of events needed. Then the _time field is adjusted for each new event. This gives a basis on which to do stats.

I noticed that for fieldA in your example you have a duration of 8 seconds but 9 events, whereas for the two fieldB examples you have duration of 2 seconds and 2 events each. Which model do you want to use?

It is a complicated approach, if you have any questions, or need help setting this up for your example, let me know (although I am quite busy so may be a little while to work it through).

0 Karma

enenkey
Loves-to-Learn

Thank you for the proposition @ITWhisperer 

The 9 repeated events was a mistake, it should be 8.

I'm really confused about the goal of "makecontinuous" role and how to use it. I would appreciate if you can give me an example of the query that you think will work.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

From your data

2020-09-28T15:18:40Z duration=8.0 somevalue=42 otherfield=A
2020-09-28T15:18:45Z duration=2.0 somevalue=10 otherfield=B
2020-09-28T15:18:44Z duration=2.0 somevalue=10 otherfield=B

We would add a column for the number of rows needed

TimeDurationsomevalueotherfieldrows
2020-09-28T15:18:40Z8.042A8
2020-09-28T15:18:45Z2.010B10
2020-09-28T15:18:44Z2.010B12

Then we put a row at the start

TimeDurationsomevalueotherfieldrows
    1
2020-09-28T15:18:40Z8.042A8
2020-09-28T15:18:45Z2.010B10
2020-09-28T15:18:44Z2.010B12

makecontinuous when applied to field rows expands this to

TimeDurationsomevalueotherfieldrows
    1
    2
    3
    4
    5
    6
    7
2020-09-28T15:18:40Z8.042A8
    9
2020-09-28T15:18:45Z2.010B10
    11
2020-09-28T15:18:44Z2.010B12

We can then copy the relevant data up (well down after we sort descending on rows)

We also adjust the time field so that in increases over the relevant duration

TimeDurationsomevalueotherfieldrows
2020-09-28T15:18:40Z 8.042A1
2020-09-28T15:18:41Z 8.042A2
2020-09-28T15:18:42Z 8.042A3
2020-09-28T15:18:43Z 8.042A4
2020-09-28T15:18:44Z 8.042A5
2020-09-28T15:18:45Z 8.042A6
2020-09-28T15:18:46Z 8.042A7
2020-09-28T15:18:47Z8.042A8
2020-09-28T15:18:45Z 2.010B9
2020-09-28T15:18:46Z2.010B10
2020-09-28T15:18:44Z2.010B11
2020-09-28T15:18:45Z2.010B12

You now have the data you need to count by time, somevalue, otherfield

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...