Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Streamstats time_window current=f error

brianmeyer54
New Member
‎07-04-2024 04:08 PM

Hello all,

I am using steamstats with time_window=60m to calculate the moving average over the past hour.  However, when I set current=f i receive an error in the search log, "Error in 'streamstats' command:  Cannot set current to false when using a time window."  Is there a way to get around this?  Steam stats is exactly what i need to calculate the moving average, but I do not want to include the current event.  If there is not a way around this, is there another way to calculate the moving average and not including the current event?  Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2024 02:46 AM

I suppose it makes sense with moving time window Splunk has to keep track of the window and events fitting that window. If you don't include the current event Splunk doesn't know how many previous events it has to keep and include in your calculations.

If you have a fixed window expressed in number of events - that's easy - Splunk has always remember last n events to calculate your aggregation. But in case of time window it would make Splunk have to remember much more events that are used to calculate the stats in case they don't "fall out" of the window in case of next event. So it's simply easiest to forbid using use_current=f probably.

I suppose you could do some ugly hacks like streamstatsing lists of values and manually calculating your aggregations but that would probably be horribly inefficient.

I must say that I don't see a use case. What that would even mean "5-minute window without current event" - A window of 5 minutes looking back from the previous remembered event? Or a window of 5 minutes looking back from current event but without using current event's value?

In the latter case you could simply do a "half automatic" calculations - for example with an average, you could just streamstats sum and count, then substract the current event's value from the sum and use count (or count-1) to calculate average. For more sophisticated aggregations of course you'd need to be a bit more creative.

But the former case - it doesn't differ from use_current=t if you're just aggregating from previous event backwards.

Maybe there's something more to this case you're not telling us and it can be done in yet another way.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-05-2024 01:48 PM

What do you use streamstats for?  You can always bucket time before streamstats, something like

| bin span=60m _time
| streamstats current=f count

This will not work if your use case requires you to maintain time resolution, although that should be rather rare. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top