Hello all,
I've seen examples of how to find time between events using streamstats, and also to find the time since the most recent event using stats, but how would I accomplish doing both?
Ultimately I'm trying to detect a loss of information that's reported every 10 minutes, so I'm using streamstats to search for differences of > 10 min, however this "outage" isn't detected until after the data is reported again, thus giving streamstats two items to actually compare. I need all of these deltas, and also the time since the most recent as occurred.
Thanks, and here's some code I have:
search
| streamstats current=t last(_time) as last_time by field
| eval outage= last_time - _time
| eval outage=tostring(outage, "duration")
| table field _time outage
↧