I had splunk dashboard which used to give me historical aggregation time of any source I select in dropdown.
I was using below query to get aggregation time of source
`index name` env=prod-west | spath _type | search _type=event | spath operation | search operation=AGGREGATE | spath "attributes.sourceName" | search "attributes.sourceName"="$source_name$" | dedup details technicalName created | eval start = strptime(created, "%Y-%m-%dT%H:%M:%S.%3N%Z") | streamstats last(start) as prev_time current=f window=100 by details | eval diff=abs(prev_time-start)/60 | search diff > 0 | sort start|rename diff as "Aggregation time(minutes)"| table created, "Aggregation time(minutes)"
This whole implementation was dependent on how sailpoint was entering their event logs. They had event correlated for start and end time with details field.
Check screenshot below
Earlier they used to populate the id in details field for both start and passed event but since last month or two they have stopped populating it altogether so now there is no way for me to correlate start and end events.
@colin_mckibben Is it possible for you to check on this. Appreciate help in advance.