@godman, slightly different approach than @renjith.nair's answer as it looks for 3 or more failures before success
in the final where clause.
| gentimes start=-20 increment=1d
| eval _time=starttime
| fields _time
| appendcols [| makeresults
| eval status="success,failed,failed,failed,success,success,success,failed,failed,success,failed,failed,failed,success,success,failed,failed,failed,failed,success"
| makemv delim="," status
| mvexpand status]
| streamstats count by status reset_on_change=true
| reverse
| streamstats last(status) as nextStatus current=f window=1
| where nextStatus="success" and count>=3
PS: Depending on the chronological or reverse chronological sort of actual data the reverse
command might need to be changed. The above run anywhere example generates chronological sorted events by default. Commands from |gentimes
till | mvexpand status]
generate some sample status with time.
@godman, slightly different approach than @renjith.nair's answer as it looks for 3 or more failures before success
in the final where clause.
| gentimes start=-20 increment=1d
| eval _time=starttime
| fields _time
| appendcols [| makeresults
| eval status="success,failed,failed,failed,success,success,success,failed,failed,success,failed,failed,failed,success,success,failed,failed,failed,failed,success"
| makemv delim="," status
| mvexpand status]
| streamstats count by status reset_on_change=true
| reverse
| streamstats last(status) as nextStatus current=f window=1
| where nextStatus="success" and count>=3
PS: Depending on the chronological or reverse chronological sort of actual data the reverse
command might need to be changed. The above run anywhere example generates chronological sorted events by default. Commands from |gentimes
till | mvexpand status]
generate some sample status with time.
@godman,
Are you looking for something similar to
|makeresults|eval status="success,failed,failed,failed,success,failed,failed,success,failed"|makemv delim="," status|mvexpand status
|streamstats count by status reset_on_change=true|delta count as difference|where difference==-2 AND status=="success"