https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/556317#M157977 <P>I'm sorry if my question was not complete. The fact is that initially, I do not have an X field, I create it using | eval field_x = if(fieldValue &gt;= fieldThreshold, 1, 0).</P> Fri, 18 Jun 2021 09:14:15 GMT rendie 2021-06-18T09:14:15Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/555952#M157864 <P>Hi folks,</P><P>Just a quick question. For example, a have a dataset</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="25px">_time</TD><TD width="33.333333333333336%" height="25px">field_x</TD><TD width="33.333333333333336%" height="25px">field_y</TD></TR><TR><TD width="33.333333333333336%" height="25px">14:01</TD><TD width="33.333333333333336%" height="25px">0</TD><TD width="33.333333333333336%" height="25px">0</TD></TR><TR><TD width="33.333333333333336%" height="25px">14:02</TD><TD width="33.333333333333336%" height="25px">0</TD><TD width="33.333333333333336%" height="25px">1</TD></TR><TR><TD width="33.333333333333336%" height="25px">14:03</TD><TD width="33.333333333333336%" height="25px">0</TD><TD width="33.333333333333336%" height="25px">2</TD></TR><TR><TD width="33.333333333333336%" height="25px">14:04</TD><TD width="33.333333333333336%" height="25px">1</TD><TD width="33.333333333333336%" height="25px">3</TD></TR><TR><TD height="25px">14:05</TD><TD height="25px">1</TD><TD height="25px">0</TD></TR><TR><TD height="25px">14:06</TD><TD height="25px">0</TD><TD height="25px">0</TD></TR><TR><TD height="25px">14:07</TD><TD height="25px">1</TD><TD height="25px">1</TD></TR><TR><TD height="25px">14:08</TD><TD height="25px">1</TD><TD height="25px">0</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>If describe this logic in text:&nbsp;field_x is a random number 0 or 1.&nbsp;field_y is how many 0 was in previous events for&nbsp;field_x.</P> Wed, 16 Jun 2021 11:25:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/555952#M157864 rendie 2021-06-16T11:25:48Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/555971#M157867 <P>I changed field_x to As and Bs to show that non-numerics can be dealt with, you just need to compare to one of the values. I recreated field_y and field_z so you can see the process matches your requirement.</P><LI-CODE lang="markup">| makeresults | eval _raw="_time field_x field_y 14:01 A 0 14:02 A 1 14:03 A 2 14:04 B 3 14:05 B 0 14:06 A 0 14:07 B 1 14:08 B 0" | multikv forceheader=1 | fields - _* linecount | streamstats window=1 current=f values(field_x) as previous | eval previous_match=if(previous="A",1,0) | streamstats window=1 current=f values(previous_match) as previous | eval groupstart=if(previous_match=1 AND previous=0,1,0) | streamstats sum(groupstart) as group | eval group=if(previous_match=1,group,null) | streamstats sum(previous_match) as field_z by group | fillnull value=0 field_z</LI-CODE><P>&nbsp;</P> Wed, 16 Jun 2021 13:04:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/555971#M157867 ITWhisperer 2021-06-16T13:04:15Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/556030#M157878 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/209705">@rendie</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">YOUR_SEARCH | sort _time | table _time field_x | autoregress field_x as pre p=1 | eval A=if(pre=0,1,null()) | accum A | streamstats list(A) as Z | eval AA = if(isnull(A) and mvcount(Z)&gt;0,mvcount(Z),null()) | filldown AA | fillnull value="0" AA | eval field_y=A-AA | table _time field_x field_y</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="_time field_x 14:01 0 0 14:02 0 1 14:03 0 2 14:04 1 3 14:05 1 0 14:06 0 0 14:07 0 1 14:08 1 0 14:09 0 0 14:10 1 0 14:11 0 0 14:12 0 0 14:13 0 0 14:14 0 0 14:15 1 0 14:16 0 0 14:17 0 0 14:18 1 0 " | multikv forceheader=1 | eval t = 100 | accum t | eval _time = _time + t | sort _time | table _time field_x | autoregress field_x as pre p=1 | eval A=if(pre=0,1,null()) | accum A | streamstats list(A) as Z | eval AA = if(isnull(A) and mvcount(Z)&gt;0,mvcount(Z),null()) | filldown AA | fillnull value="0" AA | eval field_y=A-AA | table _time field_x field_y</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Wed, 16 Jun 2021 17:57:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/556030#M157878 kamlesh_vaghela 2021-06-16T17:57:44Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/556316#M157976 <P>I'm sorry if my question was not complete. The fact is that initially, I do not have an X field, I create it using | eval field_x = if(fieldValue &gt;= fieldThreshold, 1, 0)</P> Fri, 18 Jun 2021 09:13:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/556316#M157976 rendie 2021-06-18T09:13:42Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/556317#M157977 <P>I'm sorry if my question was not complete. The fact is that initially, I do not have an X field, I create it using | eval field_x = if(fieldValue &gt;= fieldThreshold, 1, 0).</P> Fri, 18 Jun 2021 09:14:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-events-with-counting/m-p/556317#M157977 rendie 2021-06-18T09:14:15Z