https://community.splunk.com/t5/Splunk-Search/Group-events-that-occur-continuously-and-contain-a-common-name/m-p/265565#M79806 <P>I would like to group continuous events that occur in order over time, and have a common name. </P> <P>For example:</P> <P>_time name<BR /> 2016-09-05 10:15:36.691 A<BR /> 2016-09-05 10:15:32.519 B<BR /> 2016-09-05 10:15:22.708 C<BR /> 2016-09-05 10:10:37.374 C<BR /> 2016-09-05 10:10:25.848 B<BR /> 2016-09-05 10:10:08.099 B<BR /> 2016-09-05 10:10:03.349 B<BR /> 2016-09-05 10:09:31.304 A<BR /> 2016-09-05 10:09:16.339 A<BR /> 2016-09-05 10:09:07.415 A</P> <P>Would yield:<BR /> _time name count<BR /> 2016-09-05 10:15:36.691 A 1<BR /> 2016-09-05 10:15:32.519 B 1<BR /> 2016-09-05 10:15:22.708 C 2<BR /> 2016-09-05 10:10:25.848 B 3<BR /> 2016-09-05 10:09:31.304 A 3</P> <P>Stats and transaction seem to work over all events in a stream, and I haven't found an obvious was to cluster based on the continuous nature of the data.</P> <P>Thanks in advance</P> Mon, 05 Sep 2016 09:38:43 GMT ollie920049 2016-09-05T09:38:43Z https://community.splunk.com/t5/Splunk-Search/Group-events-that-occur-continuously-and-contain-a-common-name/m-p/265565#M79806 <P>I would like to group continuous events that occur in order over time, and have a common name. </P> <P>For example:</P> <P>_time name<BR /> 2016-09-05 10:15:36.691 A<BR /> 2016-09-05 10:15:32.519 B<BR /> 2016-09-05 10:15:22.708 C<BR /> 2016-09-05 10:10:37.374 C<BR /> 2016-09-05 10:10:25.848 B<BR /> 2016-09-05 10:10:08.099 B<BR /> 2016-09-05 10:10:03.349 B<BR /> 2016-09-05 10:09:31.304 A<BR /> 2016-09-05 10:09:16.339 A<BR /> 2016-09-05 10:09:07.415 A</P> <P>Would yield:<BR /> _time name count<BR /> 2016-09-05 10:15:36.691 A 1<BR /> 2016-09-05 10:15:32.519 B 1<BR /> 2016-09-05 10:15:22.708 C 2<BR /> 2016-09-05 10:10:25.848 B 3<BR /> 2016-09-05 10:09:31.304 A 3</P> <P>Stats and transaction seem to work over all events in a stream, and I haven't found an obvious was to cluster based on the continuous nature of the data.</P> <P>Thanks in advance</P> Mon, 05 Sep 2016 09:38:43 GMT https://community.splunk.com/t5/Splunk-Search/Group-events-that-occur-continuously-and-contain-a-common-name/m-p/265565#M79806 ollie920049 2016-09-05T09:38:43Z https://community.splunk.com/t5/Splunk-Search/Group-events-that-occur-continuously-and-contain-a-common-name/m-p/265566#M79807 <P>If the splunk version is 6.4 or above , try this</P> <P>|streamstats count as s_c by name reset_on_change=true current=t</P> Tue, 29 Sep 2020 10:52:36 GMT https://community.splunk.com/t5/Splunk-Search/Group-events-that-occur-continuously-and-contain-a-common-name/m-p/265566#M79807 renjith_nair 2020-09-29T10:52:36Z https://community.splunk.com/t5/Splunk-Search/Group-events-that-occur-continuously-and-contain-a-common-name/m-p/265567#M79808 <P>Try like this</P> <PRE><CODE>your base search | streamstats current=f window=1 values(name) prev | eval temp=case(isnull(prev),1,prev!=name,1,true(),0) | accum temp| eventstats count by temp | fields - temp </CODE></PRE> Mon, 05 Sep 2016 17:23:04 GMT https://community.splunk.com/t5/Splunk-Search/Group-events-that-occur-continuously-and-contain-a-common-name/m-p/265567#M79808 somesoni2 2016-09-05T17:23:04Z