https://community.splunk.com/t5/Splunk-Search/Classify-into-a-group/m-p/668282#M229256 <LI-CODE lang="markup">| rex field=logs "\|(?&lt;msg&gt;.+)$" | stats sum(eval(case(msg=="**Starting**",1,msg=="Shutting down",-1))) as bad count(eval(case(msg=="**Starting**",1))) as starts | eval good=starts-bad</LI-CODE> Fri, 10 Nov 2023 21:54:54 GMT ITWhisperer 2023-11-10T21:54:54Z https://community.splunk.com/t5/Splunk-Search/Classify-into-a-group/m-p/668273#M229253 <P>Example logs</P><P>2022-08-19 08:10:53.0593|**Starting**</P><P>2022-08-19 08:10:53.5905|fff</P><P>2022-08-19 08:10:53.6061|dd</P><P>2022-08-19 08:10:53.6218|Shutting down</P><P>2022-08-19 08:10:53.6218|**Starting**</P><P>2022-08-19 08:10:53.6374|fffff</P><P>2022-08-19 08:10:53.6686|ddd</P><P>2022-08-19 08:10:53.6843|**Starting**</P><P>2022-08-19 08:10:54.1530|aa</P><P>2022-08-19 08:10:54.1530|vv</P><P>&nbsp;</P><P>From this I have created three columns Devicenumber, &nbsp;_time ,Description</P><P>If ** Starting ** message has followed by "Shutting down" mean, it should classify as good and if Starting message has not Shutting down mean, it should classify as bad.</P><P>&nbsp;</P><P>From the above example, there should be 2 bad and one good.</P><P>&nbsp;</P><P>If there is only one row which has only Starting and no shutting down recorded, in that case also , it should classify as bad</P> Fri, 10 Nov 2023 18:46:17 GMT https://community.splunk.com/t5/Splunk-Search/Classify-into-a-group/m-p/668273#M229253 Kirthika 2023-11-10T18:46:17Z https://community.splunk.com/t5/Splunk-Search/Classify-into-a-group/m-p/668282#M229256 <LI-CODE lang="markup">| rex field=logs "\|(?&lt;msg&gt;.+)$" | stats sum(eval(case(msg=="**Starting**",1,msg=="Shutting down",-1))) as bad count(eval(case(msg=="**Starting**",1))) as starts | eval good=starts-bad</LI-CODE> Fri, 10 Nov 2023 21:54:54 GMT https://community.splunk.com/t5/Splunk-Search/Classify-into-a-group/m-p/668282#M229256 ITWhisperer 2023-11-10T21:54:54Z https://community.splunk.com/t5/Splunk-Search/Classify-into-a-group/m-p/668339#M229281 <P>Nice SPL&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;..&nbsp;</P><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254923">@Kirthika</a>&nbsp;.. pls check this SPL.. (the stats logic may needs to be fine-tuned)</P><P>&nbsp;</P><LI-CODE lang="markup">source="testlogrex.txt" host="laptop" sourcetype="nov12" | rex field=_raw "\|(?&lt;msg&gt;.+)$" | stats sum(eval(case(msg=="**Starting**",1,msg=="Shutting down",-1))) as bad count(eval(case(msg=="**Starting**",1))) as starts | eval good=starts-bad</LI-CODE><P>&nbsp;</P><P>this SPL gives this result..&nbsp;</P><P>bad starts good</P><TABLE><TBODY><TR><TD>5</TD><TD>7</TD><TD>2</TD></TR></TBODY></TABLE><P><BR /><BR />The Sample logs and rex used here:</P><P>source="testlogrex.txt" host="laptop" sourcetype="nov12"<BR />| rex field=_raw "\|(?&lt;msg&gt;.+)$"<BR />| table _raw msg</P><P>_raw msg</P><TABLE><TBODY><TR><TD>2022-08-19 08:10:04.6218|Shutting down</TD><TD>Shutting down</TD></TR><TR><TD>2022-08-19 08:10:03.6061|dd03</TD><TD>dd03</TD></TR><TR><TD>2022-08-19 08:10:02.5905|fff</TD><TD>fff</TD></TR><TR><TD>2022-08-19 08:10:01.0593|**Starting**</TD><TD>**Starting**</TD></TR><TR><TD>2022-08-19 08:10:08.6843|**Starting**</TD><TD>**Starting**</TD></TR><TR><TD>2022-08-19 08:10:07.6686|ddd07</TD><TD>ddd07</TD></TR><TR><TD>2022-08-19 08:10:06.6374|fffff06</TD><TD>fffff06</TD></TR><TR><TD>2022-08-19 08:10:05.6218|**Starting**</TD><TD>**Starting**</TD></TR><TR><TD>2022-08-19 08:10:12.5905|fff12</TD><TD>fff12</TD></TR><TR><TD>2022-08-19 08:10:11.0593|**Starting**</TD><TD>**Starting**</TD></TR><TR><TD>2022-08-19 08:10:10.1530|vv10</TD><TD>vv10</TD></TR><TR><TD>2022-08-19 08:10:09.1530|aa09</TD><TD>aa09</TD></TR><TR><TD>2022-08-19 08:10:16.6374|fffff16</TD><TD>fffff16</TD></TR><TR><TD>2022-08-19 08:10:15.6218|**Starting**</TD><TD>**Starting**</TD></TR><TR><TD>2022-08-19 08:10:14.6218|Shutting down</TD><TD>Shutting down</TD></TR><TR><TD>2022-08-19 08:10:13.6061|**Starting**</TD><TD>**Starting**</TD></TR><TR><TD>2022-08-19 08:10:19.15|aa19</TD><TD>aa19</TD></TR><TR><TD>2022-08-19 08:10:18.6843|**Starting**</TD><TD>**Starting**</TD></TR><TR><TD>2022-08-19 08:10:17.6686|ddd17</TD><TD>ddd17</TD></TR><TR><TD>2022-08-19 08:10:20.160|vv20</TD><TD>vv20</TD></TR></TBODY></TABLE> Sun, 12 Nov 2023 05:20:32 GMT https://community.splunk.com/t5/Splunk-Search/Classify-into-a-group/m-p/668339#M229281 inventsekar 2023-11-12T05:20:32Z