I have a search that returns a list of namespace values. I want to take each one of those namespace values and run streamstats on it by doing a ...|search namespace=<namespace> | streamstats... I tried doing a by namespace in my streamstats, but for some reason, it doesn't work and the only way it seems to work is with the pre-search by a single namespace ahead of time... How do I accomplish this? current search source="/var/log/lag/stats.txt" d=* | eval namespace=trim(replace(namespace,"sample-text.","")) | eval Processed_time=_time | search namespace=HeartBeat | streamstats current=false window=500 last(count) as prev_count earliest(Processed_time) as time_of_last_change by namespace | where prev_count != count | eval actualchange=prev_count-count | streamstats current=false window=2 range(Processed_time) AS diffoflastchange by namespace | eval diffoflastchange=round(diffoflastchange) | eval changeformatted=tostring(diffoflastchange,"duration") | stats range(diffoflastchange) as totalrange by namespace | eval totalrangeformat=tostring(totalrange,"duration") Sure thing! events are really super basic.... d=12/14/18 02:15:01 PM UTC namespace=Sample,count=5400315 d=12/14/18 02:18:01 PM UTC namespace=HeartBeat,count=5400610 d=12/14/18 02:21:01 PM UTC namespace=Sample,count=5400927 d=12/14/18 02:24:01 PM UTC namespace=HeartBeat,count=5400815 So I'd expect my output to be HeartBeat Avg Update Span = Sample Avg Update Span = ... View more

BASE SEARCH ... | eval Processed_time=_time | streamstats current=false window=500 last(count) as prev_count earliest(Processed_time) as time_of_last_change by namespace | where prev_count != count | eval actualchange=prev_count-count | streamstats current=false window=2 range(Processed_time) AS diffoflastchange by namespace | eval diffoflastchange=round(diffoflastchange) | eval changeformatted=tostring(diffoflastchange,"duration") | stats range(diffoflastchange) as totalrange by namespace | eval totalrangeformat=tostring(totalrange,"duration") This query gets me a list of all my namespaces but I don't get the output of totalrange --- the only way I can seem to get the output is if I specify ONE namespace in my base search. So how can I either iterate over all my name spaces OR get this search to work? ... View more

I want to calculate the average time between updates for my data — I.E: on average, how often is this data changing? I'm able to get the changes in data and the delta between those changes by using the streamstats command. ...| table _time namespace diffoflastchange I end up with the columns above where the important column is diffoflastchange, which is really... | streamstats current=false last(count) as prev_count last(_time) as time_of_last_change by namespace | eval diffoflastchange=now()-time_of_last_change ...so now, I got all my timestamps per above, but I can't figure how to average them together to get the, let's say, daily average over a 2 week period. ... View more

Whats the difference between the machine learning toolkit>forecast and the predict command you can run at searchtime? ... View more

How does one debug searches when you expect a column to be filled out yet its not? sourcetype=mongo_stats | streamstats current=f last(count) as last_count last(_time) as time_of_last_change by namespace | eval diffoflastchange=now()-time_of_last_change | eval HH:MM:SS_since_last_change=tostring(diffoflastchange,"duration") | rename count as current_count | fieldformat current_count=tostring(current_count,"commas") | table namespace current_count HH:MM:SS_since_last_change lastChange | addcoltotals current_count | dedup namespace | sort -current_count for some reason the only columns I get are namespace and current count - the others are all blank but the logic to calculate the others looks right! ... View more

Please, why can't the addcoltotals command support an optional Boolean field for comma support? https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addcoltotals ... View more