topic Re: count between events in Splunk Search

count between events

mkrauss1 — Mon, 31 Aug 2015 15:07:30 GMT

I would like to count values between an event and i'm not getting an entry point for this at all.

Assume i get an event like:

SOURCE=ABC EVENT=1

and from there i would like to count all results given in RESULT:

SOURCE=ABC RESULT=1

until the event goes off

SOURCE=ABC EVENT=0

Idealy this would work with multiple sources like

 SOURCE=ABC EVENT=1
 SOURCE=DEF EVENT=1
 SOURCE=ABC RESULT=1
 SOURCE=ABC EVENT=0
 SOURCE=DEF RESULT=2
 SOURCE=DEF EVENT=0

And then return something like

 RESULT_TOTAL=3

Any ideas how to achieve this?

Re: count between events

somesoni2 — Mon, 31 Aug 2015 15:13:20 GMT

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2

Re: count between events

mkrauss1 — Mon, 31 Aug 2015 15:54:27 GMT

Thanks for this. The sample looks stateless and counts any RESULT as long as EVENT is appearing. Is it possible to set a trigger? Say the count applies only after

SOURCE=ABC EVENT=0

until

SOURCE=ABC EVENT=1

and ignore (don't) count anything else?

Re: count between events

somesoni2 — Mon, 31 Aug 2015 16:00:04 GMT

How about this

your base search | stats list(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE | where mvindex(EVENT,0)=0 AND mvindex(EVENT,1)=1

Re: count between events

mkrauss1 — Mon, 31 Aug 2015 16:28:28 GMT

Great, Thanks!