https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367947#M165238 <P>Hi syokota [Splunk],<BR /> please detail more you answer first Final Result or second one?<BR /> in the first case</P> <PRE><CODE>your_search | stats values(No) As No earliest(_time) AS _time values(delta_value) AS delta_value BY value1 | table No _time value1 delta_value </CODE></PRE> <P>In the second case</P> <PRE><CODE>your_search | stats values(No) As No earliest(_time) AS _time values(delta_value) AS delta_value count BY value1 | where count=1 | table No _time value1 delta_value </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 13 Nov 2017 10:56:05 GMT gcusello 2017-11-13T10:56:05Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367946#M165237 <P>Hi Experts,<BR /> I'd like to filter the record when the "delta_value" has the same value within 15 seconds (or repeats 3 times).</P> <P>The sample value is below.</P> <PRE><CODE>No, _time, value1, delta_value 1, 05/26/2017 06:32:50, 5.949602127, 0 2, 05/26/2017 06:32:55, 15.949602127, 10 3, 05/26/2017 06:33:00, 16.949602127, 1 4, 05/26/2017 06:33:05, 17.949602127, 1 5, 05/26/2017 06:33:10, 18.949602127, 1 6, 05/26/2017 06:33:15, 17.949602127, 1 7, 05/26/2017 06:33:20, 17.949602127, 0 </CODE></PRE> <P>And I wish to finalize below search outputs.</P> <P>Ideal Final Result pattern A.</P> <PRE><CODE>No, _time, value1, delta_value 1, 05/26/2017 06:32:50, 5.949602127, 0 2, 05/26/2017 06:32:55, 15.949602127, 10 3, 05/26/2017 06:33:00, 16.949602127, 1 7, 05/26/2017 06:33:20, 17.949602127, 0 </CODE></PRE> <P>OR</P> <P>Ideal Final Result pattern B </P> <PRE><CODE>No, _time, value1, delta_value 1, 05/26/2017 06:32:50, 5.949602127, 0 2, 05/26/2017 06:32:55, 15.949602127, 10 7, 05/26/2017 06:33:20, 17.949602127, 0 </CODE></PRE> <P>How do you do it? Any comments and any idea welcome!</P> Mon, 13 Nov 2017 10:19:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367946#M165237 syokota_splunk 2017-11-13T10:19:59Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367947#M165238 <P>Hi syokota [Splunk],<BR /> please detail more you answer first Final Result or second one?<BR /> in the first case</P> <PRE><CODE>your_search | stats values(No) As No earliest(_time) AS _time values(delta_value) AS delta_value BY value1 | table No _time value1 delta_value </CODE></PRE> <P>In the second case</P> <PRE><CODE>your_search | stats values(No) As No earliest(_time) AS _time values(delta_value) AS delta_value count BY value1 | where count=1 | table No _time value1 delta_value </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 13 Nov 2017 10:56:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367947#M165238 gcusello 2017-11-13T10:56:05Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367948#M165239 <P>Sorry to bothering you.<BR /> The fields of “No” is not existing in both actual raw log and ideal final results.</P> <P>Please ignore the No column.</P> Mon, 13 Nov 2017 11:06:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367948#M165239 syokota_splunk 2017-11-13T11:06:23Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367949#M165240 <P>without the <CODE>No</CODE> column in table command and <CODE>values(No) As No</CODE> in stats command, does it run?<BR /> Bye.<BR /> Giuseppe</P> Mon, 13 Nov 2017 11:18:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367949#M165240 gcusello 2017-11-13T11:18:19Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367950#M165241 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/73924">@syokota_splunk</a>, I was able to create query to generate sample pattern A, where same delta_value if repeated for more than 2 times will all be merged as one row. Please try out run anywhere search below, which is based on <CODE>streamstats</CODE> which requires events to be sorted with time i.e. ascending or descending (your sample data seemed sorted chronologically which suffices the need)<BR /> PS: Commands till <CODE>| table</CODE> generate mock data as per the question. Only continuous delta_values increase counter, if there is a different value the counter resets.</P> <PRE><CODE>| makeresults | eval data="1,05/26/2017 06:32:50,5.949602127,0;2,05/26/2017 06:32:55,15.949602127,10;3,05/26/2017 06:33:00,16.949602127,1;4,05/26/2017 06:33:05,17.949602127,1;5,05/26/2017 06:33:10,18.949602127,1;6,05/26/2017 06:33:15,17.949602127,1;7,05/26/2017 06:33:20,17.949602127,0;8,05/26/2017 06:33:40,13.889602127,0" | makemv data delim=";" | mvexpand data | eval data=split(data,",") | eval No=mvindex(data,0), _time=mvindex(data,1), value1=mvindex(data,2), delta_value=mvindex(data,3) | table No _time value1 delta_value | eval _time=strptime(_time,"%m/%d/%Y %H:%M:%S") | streamstats count as sameCount by delta_value reset_on_change=true | eventstats max(sameCount) as maxCounter by delta_value | eval maxCounter=case(sameCount=1 AND maxCounter&gt;2,1,true(),maxCounter) | search maxCounter=1 OR maxCounter=2 </CODE></PRE> <P>Your second pattern is a bit complicated. I will give that a try, but hopefully someone will be able to solve before that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 16:46:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367950#M165241 niketn 2020-09-29T16:46:36Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367951#M165242 <P>Actually the "No" column is not existing. Please refer below raw data.</P> <P>_time, value1, delta_value<BR /> 05/26/2017 06:32:50, 5.949602127, 0<BR /> 05/26/2017 06:32:55, 15.949602127, 10<BR /> 05/26/2017 06:33:00, 16.949602127, 1<BR /> 05/26/2017 06:33:05, 17.949602127, 1<BR /> 05/26/2017 06:33:10, 18.949602127, 1<BR /> 05/26/2017 06:33:15, 17.949602127, 1<BR /> 05/26/2017 06:33:20, 17.949602127, 0</P> Tue, 29 Sep 2020 16:46:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367951#M165242 syokota_splunk 2020-09-29T16:46:52Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367952#M165243 <P>Thank you niketnilay!<BR /> But I'm sorry, the "No" column is not existing in raw log that's my fault..</P> <P>And "_time" is dynamically changing I mean not only sample data also new data will come, so you mentioned SPL of no.2 raw is difficult to do it.</P> Mon, 13 Nov 2017 22:00:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367952#M165243 syokota_splunk 2017-11-13T22:00:49Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367953#M165244 <P>You could try something like this </P> <P><CODE>index=xxx sourcetype=xxx | bin delta_value span=15s | timechart cont=true count</CODE> </P> <P>You could also look into the <CODE>| makecontineous</CODE> command </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/ListOfSearchCommands">http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/ListOfSearchCommands</A><BR /> "Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart)"</P> Mon, 13 Nov 2017 22:05:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367953#M165244 skoelpin 2017-11-13T22:05:16Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367954#M165245 <P>@syokota, I have extracted <CODE>No</CODE> field but have not used it in any logic.</P> <P>And what I meant by events sorted by time (in chornologica or reverse), is that you would need to use <CODE>sort</CODE> or <CODE>reverse</CODE> command before using streamstats as it generates the stats on streaming manner and unsorted events may give incorrect stats.</P> <P>My commands till <CODE>| table</CODE> just created the dummy table as per the data provided in the question. You would need to create your base query in a way that. Your output is sorted by _time (even if it does not have <CODE>No</CODE> field that would be fine).</P> <P>If your default output table is in reverse chronological order then streamstats might need adjustment (not sure). But will perform better because one additional <CODE>| reverse</CODE> command can be avoided before streamstats. Please do try out and confirm. If it does not work give the sample output from your base search which displays <CODE>_time, value1, delta_value</CODE>, in the same order.</P> Tue, 14 Nov 2017 04:42:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367954#M165245 niketn 2017-11-14T04:42:29Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367955#M165246 <P>Did this work for you?</P> Mon, 27 Nov 2017 14:57:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367955#M165246 skoelpin 2017-11-27T14:57:27Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367956#M165247 <P>I've done with below SPL.</P> <PRE><CODE>index="sensor" | sort + _time | streamstats current=f window=1 last(value1) as last_value1 | eval diff=abs(value1-last_value1),diff=if(diff&gt;180,abs(value1+last_value1-360),diff) | streamstats current=t window=50 values(diff) as last_diff_50 | eval countmv=mvcount(last_diff_50) | search countmv!=1 | table _time value1 </CODE></PRE> Mon, 27 Nov 2017 20:19:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-continuous-values-within-5-minutes/m-p/367956#M165247 syokota_splunk 2017-11-27T20:19:43Z