https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442963#M172435 <P>Hi again @adonio,</P> <P>Now I need to calculate total count of Function after Status 1, how to do that?<BR /> The result should be as follow:</P> <P>Status...........................count of Function<BR /> Status1 ........................3</P> Tue, 26 Mar 2019 16:00:02 GMT jyab6z 2019-03-26T16:00:02Z https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442958#M172430 <P>Our log looks like as following after basic search:</P> <PRE><CODE>Date..............Time...........................UserID..................Function/Status 20190227 03:56:22:788 [njdh00t2ldqwuocvtdzdywcr] - Function 20190227 03:55:09:933 [njdh00t2ldqwuocvtdzdywcr] - Status 1. 20190227 03:46:35:503 [njdh00t2ldqwuocvtdzdywcr] - Function 20190227 03:46:32:587 [njdh00t2ldqwuocvtdzdywcr] - Function 20190227 03:45:14:681 [njdh00t2ldqwuocvtdzdywcr] - Function 20190227 03:44:56:292 [njdh00t2ldqwuocvtdzdywcr] - Status 2. 20190227 03:33:15:450 [njdh00t2ldqwuocvtdzdywcr] - Status 1. </CODE></PRE> <P>I want to count percentage of Status 1 and Status 2 right before Function event for same Date and same UserID.<BR /> In this case, the result should be as follow:</P> <PRE><CODE>Status...........................count Status1 ........................1 Status2 ........................1 </CODE></PRE> <P>Due to first Status 1 event was not counted. The search need to check the Status before Function event, only the Status followed by a Function event should be counted. </P> <P>Any idea? Thanks in advance! </P> Mon, 18 Mar 2019 07:31:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442958#M172430 jyab6z 2019-03-18T07:31:05Z https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442959#M172431 <P>hello there,</P> <P>hope i understood your question.<BR /> try and run the below search anywhere, i added extra lines with another Status, <CODE>Status 3</CODE>:</P> <PRE><CODE>| makeresults count=1 | eval data = "20190227 03:56:22:788 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 03:55:09:933 [njdh00t2ldqwuocvtdzdywcr] - Status 1;;;20190227 03:46:35:503 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 03:46:32:587 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 03:45:14:681 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 03:44:56:292 [njdh00t2ldqwuocvtdzdywcr] - Status 2;;;20190227 03:33:15:450 [njdh00t2ldqwuocvtdzdywcr] - Status 1;;;20190227 03:56:22:788 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 04:55:09:933 [njdh00t2ldqwuocvtdzdywcr] - Status 2;;;20190227 04:46:35:503 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 04:46:32:587 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 04:45:14:681 [njdh00t2ldqwuocvtdzdywcr] - Function;;;20190227 04:44:56:292 [njdh00t2ldqwuocvtdzdywcr] - Status 3;;;20190227 04:33:15:450 [njdh00t2ldqwuocvtdzdywcr] - Status 1" | makemv delim=";;;" data | mvexpand data | rex field=data "(?&lt;YMD&gt;[^\s]+)\s+(?&lt;HMS&gt;[^\s]+)\s+(?&lt;u_id&gt;[^\s]+)\s+\-\s+(?&lt;function&gt;[^\|]+)" | table YMD HMS u_id function | rename COMMENT as "the above generates data below is the solution" | reverse | streamstats window=1 current=f last(function) as previous_function | stats values(function) as original_function values(previous_function) as origial_previous_function by YMD u_id | mvexpand original_function | mvexpand origial_previous_function | eval should_count = if(origial_previous_function LIKE "Status%" AND original_function=="Function",1,0) | stats sum(should_count) by YMD origial_previous_function | where like(origial_previous_function,"Status%") </CODE></PRE> <P>Hope it helps</P> Mon, 18 Mar 2019 12:07:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442959#M172431 adonio 2019-03-18T12:07:17Z https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442960#M172432 <P>Hi @adonio,</P> <P>It helps alot! Thank you! One more question, what if the log continue with other user's info,? For instance:</P> <P>Date..............Time...........................UserID..................Function/Status<BR /> 20190227 03:56:22:788 [njdh00t2ldqwuocvtdzdywcr] - Function<BR /> 20190227 03:55:09:933 [njdh00t2ldqwuocvtdzdywcr] - Status 1.<BR /> 20190227 03:46:35:503 [njdh00t2ldqwuocvtdzdywcr] - Function<BR /> 20190227 03:46:32:587 [njdh00t2ldqwuocvtdzdywcr] - Function<BR /> 20190227 03:45:14:681 [njdh00t2ldqwuocvtdzdywcr] - Function<BR /> 20190227 03:44:56:292 [njdh00t2ldqwuocvtdzdywcr] - Status 2.<BR /> 20190227 03:33:15:450 [njdh00t2ldqwuocvtdzdywcr] - Status 1.<BR /> 20190227 03:32:32:587 [new user here] - Function<BR /> 20190227 03:31:14:681 [new user here] - Function<BR /> 20190227 03:30:56:292 [new user here] - Status 2.<BR /> 20190227 03:29:15:450 [new user here] - Status 1.</P> <P>Can I add an empty line between different users somehow?<BR /> Thank you alot!</P> Mon, 18 Mar 2019 14:28:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442960#M172432 jyab6z 2019-03-18T14:28:41Z https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442961#M172433 <P>not sure what do you mean by "add an empty line ..."<BR /><BR /> the search logic should cover also different users </P> Mon, 18 Mar 2019 17:03:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442961#M172433 adonio 2019-03-18T17:03:56Z https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442962#M172434 <P>Yea, never mind, my bad! Thank you! </P> Tue, 19 Mar 2019 08:24:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442962#M172434 jyab6z 2019-03-19T08:24:54Z https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442963#M172435 <P>Hi again @adonio,</P> <P>Now I need to calculate total count of Function after Status 1, how to do that?<BR /> The result should be as follow:</P> <P>Status...........................count of Function<BR /> Status1 ........................3</P> Tue, 26 Mar 2019 16:00:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442963#M172435 jyab6z 2019-03-26T16:00:02Z https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442964#M172436 <P>can you open another question?<BR /> this one is marked accepted to the world so less chances other community members will open it and help</P> Tue, 26 Mar 2019 16:27:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-and-count-the-status-before-a-certain-event/m-p/442964#M172436 adonio 2019-03-26T16:27:16Z