https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692962#M235841 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/48579">@nabeel652</a>&nbsp;,</P><P>if you already extracted the status field, you could try something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | autoregress status as status_old p=1 | table _time status status_old | where NOT status=status_old</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 11 Jul 2024 05:51:34 GMT gcusello 2024-07-11T05:51:34Z https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692959#M235838 <P>Hello wonderful Splunk community,</P><P><BR />I have some data where I want count to change only when status changes:<BR /><BR />Status&nbsp; &nbsp;Count<BR />-------------------<BR />Online&nbsp; &nbsp; &nbsp; 1<BR /><SPAN>Online&nbsp; &nbsp; &nbsp; 1<BR /></SPAN>Online&nbsp; &nbsp; &nbsp;1<BR />Break&nbsp; &nbsp; &nbsp; 2<BR />Break&nbsp; &nbsp; &nbsp; &nbsp;2<BR />Online&nbsp; &nbsp; &nbsp; &nbsp;3<BR />Online&nbsp; &nbsp; &nbsp; &nbsp;3<BR />Lunch&nbsp; &nbsp; &nbsp; &nbsp;4<BR />Lunch&nbsp; &nbsp; &nbsp; &nbsp; 4<BR />Lunch&nbsp; &nbsp; &nbsp; &nbsp;4<BR />Offline&nbsp; &nbsp; &nbsp;5<BR />Offline&nbsp; &nbsp; 5<BR /><BR />Any help appreciated.&nbsp;</P> Thu, 11 Jul 2024 05:03:56 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692959#M235838 nabeel652 2024-07-11T05:03:56Z https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692962#M235841 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/48579">@nabeel652</a>&nbsp;,</P><P>if you already extracted the status field, you could try something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | autoregress status as status_old p=1 | table _time status status_old | where NOT status=status_old</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 11 Jul 2024 05:51:34 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692962#M235841 gcusello 2024-07-11T05:51:34Z https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692965#M235842 <P>Thank you for the reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />I was able to achieve the same with</P><P><BR />| streamstats reset_on_change=true count by Activity<BR />| where count==1<BR /><BR />But I want a count field that just increments when it senses a change in status.<BR />so I can do my&nbsp;<BR />| stats earliest(_time) as startTime, latest(_time) as endTime by status, count<BR />or something like that...</P> Thu, 11 Jul 2024 06:02:34 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692965#M235842 nabeel652 2024-07-11T06:02:34Z https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692967#M235843 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/48579">@nabeel652</a>&nbsp;,</P><P>did you tried with accum?</P><LI-CODE lang="markup">&lt;your_search&gt; | autoregress status as status_old p=1 | table _time status status_old | where NOT status=status_old | eval NO=1 | accum NO</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 11 Jul 2024 06:09:23 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/692967#M235843 gcusello 2024-07-11T06:09:23Z https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/693131#M235869 <P>Thank you</P><P>I don't want to omit any records. This sort of gives me the required results but records are missing which I don't want. I want same number of rows after the solution is applied.&nbsp;</P> Fri, 12 Jul 2024 00:10:09 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/693131#M235869 nabeel652 2024-07-12T00:10:09Z https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/693143#M235873 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/48579">@nabeel652</a>&nbsp;,</P><P>ok, please try this:</P><LI-CODE lang="markup">&lt;your_search&gt; | autoregress status as status_old p=1 | table _time status status_old | eval NO=0 | foreach NO [ eval NO=if(status=status_old,NO,NO+1)] | accum NO</LI-CODE><P>that I tested (and runs) in this way:</P><LI-CODE lang="markup">| makeresults | eval _raw= "Online 1" | append [ | makeresults | eval _raw= "Online 1"] | append [ | makeresults | eval _raw= "Online 1"] | append [ | makeresults | eval _raw= "Break 2"] | append [ | makeresults | eval _raw= "Break 2"] | append [ | makeresults | eval _raw= "Online 3"] | append [ | makeresults | eval _raw= "Online 3"] | append [ | makeresults | eval _raw= "Lunch 4"] | append [ | makeresults | eval _raw= "Lunch 4"] | append [ | makeresults | eval _raw= "Lunch 4"] | append [ | makeresults | eval _raw= "Offline 5"] | append [ | makeresults | eval _raw= "Offline 5"] | rex "^(?&lt;status&gt;\w+)" | autoregress status as status_old p=1 | table _time status status_old | eval NO=0 | foreach NO [ eval NO=if(status=status_old,NO,NO+1)] | accum NO</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 12 Jul 2024 06:41:05 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/693143#M235873 gcusello 2024-07-12T06:41:05Z https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/693173#M235879 <P>I was able to do it by some other way but your solution is cleaner and elegant. Thanks for the help&nbsp;</P> Fri, 12 Jul 2024 09:33:07 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-changes-only-when-value-in-a-column-changes/m-p/693173#M235879 nabeel652 2024-07-12T09:33:07Z