topic Re: Calculate total continuous duration when value is equal or above static threshold with resetting calculation when it goes below in Splunk Search https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468569#M131935 <P>WOW! That was fast! Thank you!</P> <P>I only corrected <CODE>value&gt;45</CODE> to <CODE>value&gt;=45</CODE> and it is almost what I wanted to get.<BR /> In you version duration is started to being calculated since the first value which crossed threshold (increasing direction). For that value I'd like to have <CODE>0</CODE> and duration should be started to being calculated for next value (of course only if that next value is still equal or above threshold).</P> <P>Modified example:<BR /> <IMG src="https://i.imgur.com/8AaoxFH.png" alt="alt text" /></P> <P>Result of your search:<BR /> <IMG src="https://i.imgur.com/yLOHVrO.png" alt="alt text" /></P> <P>Is this even possible?</P> Sat, 04 Apr 2020 20:07:57 GMT pawelzak 2020-04-04T20:07:57Z Calculate total continuous duration when value is equal or above static threshold with resetting calculation when it goes below https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468567#M131933 <P>I have a log that contains numerical value which is logged irregularly:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8639i3DA8451FF559FFCC/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I would like to calculate (and show on timechart) total continuous duration when value is equal or above static threshold. But I'd like to reset this calculation when it goes below that threshold.</P> <P>For threshold == 45 it should like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8640iF540944557180885/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How can I get this? Thanks for your help.</P> Sat, 04 Apr 2020 08:23:40 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468567#M131933 pawelzak 2020-04-04T08:23:40Z Re: Calculate total continuous duration when value is equal or above static threshold with resetting calculation when it goes below https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468568#M131934 <PRE><CODE>| makeresults | eval _raw="time,value 2020-03-31 22:00:00,40 2020-03-31 22:00:20,45 2020-03-31 22:01:03,46 2020-03-31 22:01:36,48 2020-03-31 22:02:01,52 2020-03-31 22:02:27,41 2020-03-31 22:03:11,43 2020-03-31 22:03:30,44 2020-03-31 22:04:08,48 2020-03-31 22:04:32,44 2020-03-31 22:05:01,46 2020-03-31 22:05:39,48 2020-03-31 22:06:00,52" | multikv forceheader=1 | eval _time=strptime(time,"%F %T") | autoregress value as p_1 | eval flag=if(value &gt; 45 AND p_1 &gt;= 45, 1, 0) | streamstats window=2 range(_time) as duration | streamstats reset_on_change=t sum(duration) as duration by flag | eval duration=if(flag=="0", "0", round(duration)) | table _time value duration </CODE></PRE> <P><EM>value</EM> are changed from original question.<BR /> <EM>flag</EM> is the key. Please modify as you like.</P> Sat, 04 Apr 2020 09:44:52 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468568#M131934 to4kawa 2020-04-04T09:44:52Z Re: Calculate total continuous duration when value is equal or above static threshold with resetting calculation when it goes below https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468569#M131935 <P>WOW! That was fast! Thank you!</P> <P>I only corrected <CODE>value&gt;45</CODE> to <CODE>value&gt;=45</CODE> and it is almost what I wanted to get.<BR /> In you version duration is started to being calculated since the first value which crossed threshold (increasing direction). For that value I'd like to have <CODE>0</CODE> and duration should be started to being calculated for next value (of course only if that next value is still equal or above threshold).</P> <P>Modified example:<BR /> <IMG src="https://i.imgur.com/8AaoxFH.png" alt="alt text" /></P> <P>Result of your search:<BR /> <IMG src="https://i.imgur.com/yLOHVrO.png" alt="alt text" /></P> <P>Is this even possible?</P> Sat, 04 Apr 2020 20:07:57 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468569#M131935 pawelzak 2020-04-04T20:07:57Z Re: Calculate total continuous duration when value is equal or above static threshold with resetting calculation when it goes below https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468570#M131936 <P>yes, check my answer.</P> Sat, 04 Apr 2020 21:21:24 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468570#M131936 to4kawa 2020-04-04T21:21:24Z Re: Calculate total continuous duration when value is equal or above static threshold with resetting calculation when it goes below https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468571#M131937 <P>This is exactly what I needed! </P> <P>Thank you very much!</P> Tue, 07 Apr 2020 10:24:00 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-total-continuous-duration-when-value-is-equal-or-above/m-p/468571#M131937 pawelzak 2020-04-07T10:24:00Z