Dashboards & Visualizations

how to check for alternate criteria for my description

chookp
Explorer

Hi my code is as follows:

DESCRIPTION="* sump *" OR (DESCRIPTION="* ejector pump *" AND DESCRIPTION="* run/stop *") (VALUE="RUN" OR VALUE="STOP" OR VALUE="TRIP") ASSET_NAME="*TAM/*" | eval TIMEONLY =strptime(CREATEDATETIME ,"%d/%m/%Y %I:%M:%S %p") | eval _time=TIMEONLY
| rex field=VALUE mode=sed "s/TRIP/STOP/g" | rex field=DESCRIPTION mode=sed "s/Trip/Run\/Stop/g" | rex field=ASSET_NAME "^(?<LOCATION>[^/]+)"
| streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME DESCRIPTION
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME DESCRIPTION
| eval newfield=if(duration>=1800,1,null)
| sort by ASSET_NAME

part of result i get:

problem 1.JPG

i would like to ask if there is a code which i can write so that under my description it can check that my Pumps are always working in alternating example 

STN DR Sump Pump 01 Run/Stop Status: DR Pump RM 01 

run and stop follow by 

STN DR Sump Pump 02 Run/Stop Status: DR Pump RM 01

then 

STN DR Sump Pump 01 Run/Stop Status: DR Pump RM 01

if there happen that the run/stop did not alternate it will have an alert or flag out abnormally or something

0 Karma

chookp
Explorer

i am also finding a way to remove the result which my duration are 0 and values only stop

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...