Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I find the time period when my events were in a particular state

smucheli_splunk
Splunk Employee
Splunk Employee
‎11-11-2019 08:40 PM

I am new to splunk and I am ingesting data from smart lights from my home into splunk, I want to create dashboard to check how long every light was turned on for a given day. I am sort of stuck in figuring out when the state of a particular field changed.
my events look something like this:

 {
    "id": "***",
    "uuid": "***",
    "label": "Lamp",
    "connected": true,
    "power": "on",
    "color": {
      "hue": 33.997711146715496,
      "saturation": 0,
      "kelvin": 3500
    },
    "brightness": 0.6999923704890516,
    "effect": "OFF",
    "group": {
      "id": "*",
      "name": "*"
    },
    "location": {
      "id": "*",
      "name": "*"
    },
    "product": {
      "name": "*",
      "identifier": "*",
      "company": "*",
      "capabilities": {
        "has_color": true,
        "has_variable_color_temp": true,
        "has_ir": false,
        "has_chain": false,
        "has_matrix": false,
        "has_multizone": false,
        "min_kelvin": 2500,
        "max_kelvin": 9000
      }
    },
    "last_seen": "2019-11-12T04:24:10Z",
    "seconds_since_seen": 1
  }

I was reading through splunk answers where people suggested using streamstats. I tried to start with it to query when the last change in my power field happened, here is my SPL:

index="lights" label="myLightName"
| streamstats current=t last(power) as LastPower last(_time) as timeChanged by label
| convert ctime(timeChanged) 
| table LastPower, timeChanged

The table generated doesn't show me the time when a particular light(label) changed in state (power from on to off or vice versa). any ideas as to what I might be missing here?

Here are a few sample stats from the table generated:
alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-13-2019 04:18 AM

@smucheli_splunk ,

Test this against your data

"base search"
|streamstats current=f last(power) as prev,last(_time) as prev_time window=1
|eval diff=abs(prev_time-_time)|eval status=if(power==prev AND power=="on",1,0)
|stats sum(eval(if(status==1,diff,0))) as on,sum(eval(if(status==0,diff,0))) as off
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-13-2019 04:18 AM

@smucheli_splunk ,

Test this against your data

"base search"
|streamstats current=f last(power) as prev,last(_time) as prev_time window=1
|eval diff=abs(prev_time-_time)|eval status=if(power==prev AND power=="on",1,0)
|stats sum(eval(if(status==1,diff,0))) as on,sum(eval(if(status==0,diff,0))) as off
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...