topic Re: How to count number of events that occurred near different events in Splunk Search

How to count number of events that occurred near different events

xfiles80 — Wed, 19 Oct 2016 08:43:17 GMT

Hi,

I am a begginner and can't find solution for my problem.
I have 3 fields:
2 from one source
Characteristic ( has Characteristic names)
Value (has value of measured Characteristic)
and one from another source
Temprature (Temeprature during measurement)

Time of Temperature recording and result recording are different so it should consider span=1hr
I would like to receive information how many measurements above specific value were recorded and in what temperature it happened ie.

Temp No of meas.
10-20 12
21-30 35
31-40 15

Below serach string I tried to use:

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" |bin Temperature bins=10 |chart count(Value) by Temperature

and received only 0 for counts. I suspect that I should use "transaction". I tried but I failed.

Re: How to count number of events that occurred near different events

sundareshr — Wed, 19 Oct 2016 13:26:58 GMT

Try this

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" | convert num(Temperature) as Temperature | bin Temperature bins=10 | stats count by Temperature

Re: How to count number of events that occurred near different events

xfiles80 — Wed, 19 Oct 2016 20:21:57 GMT

Unfortunately it doesn't work correctly. Please remeber that I want to count values for each temperture bin and data are from different sources so have different timelines.

Re: How to count number of events that occurred near different events

xfiles80 — Fri, 21 Oct 2016 11:26:24 GMT

I will add some data examples:
source1:
Date/Time Value
2016-01-01 01:05 1.49
2016-01-01 03:17 1.57
2016-01-01 05:15 1.58
2016-01-01 11:11 1.59
2016-01-01 17:00 1.49
2016-01-01 23:18 1.56

source2:
Date/Time Temperature
2016-01-01 01:00 23.1
2016-01-01 01:10 23.9
2016-01-01 03:00 24.1
2016-01-01 03:15 24.2
2016-01-01 05:11 25.0
2016-01-01 05:20 23.0
2016-01-01 11:10 30.0
2016-01-01 16:50 27.7
2016-01-01 23:20 25.5

Output I want to have (number or values that were recorded in specific temprature):
Temp. Count(Value)
24-25 1
25-26 2
26-27 0
27-28 0
28-29 0
29-30 1
30-31 0

Re: How to count number of events that occurred near different events

sundareshr — Fri, 21 Oct 2016 12:16:34 GMT

Ah!!! Missed that. What is common between the two sources that uniquely ties Temperation to Char & Values? Let's assume is called id. Then try this

(Characteristic="char1" AND Value>"1.55") OR Temprature="*"  | eventstats values(Temperature) as Temp  by id | where source="sourceforcharacteristcsfile" | bin Temperature bins=10 | stats count by Temperature

Re: How to count number of events that occurred near different events

somesoni2 — Fri, 21 Oct 2016 14:40:31 GMT

Give this a try

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" | sort 0 _time | filldown Temperature | where isnotnull(Value)
 |bin Temperature bins=10 |chart count(Value) by Temperature

Re: How to count number of events that occurred near different events

xfiles80 — Thu, 27 Oct 2016 09:52:38 GMT

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" | sort 0 _time | filldown Temperature | where isnotnull(Value)
  |bin Temperature bins=10 |chart count(Value) by Temperature

works perfect
Thanks a lot!

Re: How to count number of events that occurred near different events

richgalloway — Thu, 27 Oct 2016 11:37:54 GMT

Please accept the answer.