Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to change count value?

Cat26
Loves-to-Learn Lots
‎05-11-2023 06:34 AM

For the below table, 26th row, count should be 8 because there is different Mac_ID inbetween.

| streamstats count(eval(Mac_ID=="Serial num")) as Inspection_Count

Query which I have written is, if serial number followed by mac_id then count should be calculated. But here in 26th row, there is no serial number so the count is continuing. How can I change if mac_Id changes inbetween when there is no serial number.

Sno _time Device_ID Mac_ID Inspection_Count
1 2018-05-31T03:24:57.182+05:30 10 Started 1
2 2018-05-31T03:24:57.182+05:30 10 Serialnum 1
3 2018-05-31T03:24:58.869+05:30 10 5102 1
4 2018-05-31T03:25:09.179+05:30 10 5102 1
5 2018-05-31T06:23:23.446+05:30 10 Started 2
6 2018-05-31T06:23:23.446+05:30 10 Serialnum 2
7 2018-05-31T06:23:24.608+05:30 10 5102 2
8 2018-05-31T06:40:46.619+05:30 10 Started 3
9 2018-05-31T06:40:46.619+05:30 10 Serialnum 3
10 2018-05-31T06:46:59.594+05:30 10 5102 3
11 2018-05-31T06:47:00.084+05:30 10 5102 3
12 2018-05-31T06:47:03.098+05:30 10 5102 3
13 2018-05-31T06:58:30.714+05:30 10 Started 4
14 2018-05-31T06:58:30.714+05:30 10 Serialnum 4
15 2018-05-31T07:21:47.990+05:30 10 Started 5
16 2018-05-31T07:21:47.990+05:30 10 Serialnum 5
17 2018-05-31T07:22:09.677+05:30 10 5102 5
18 2018-05-31T07:22:10.063+05:30 10 5102 5
19 2018-05-31T07:22:11.070+05:30 10 5102 5
20 2018-09-05T10:30:13.455+05:30 86 Started 6
21 2018-09-05T10:30:13.455+05:30 86 Serialnum 6
22 2018-09-05T11:08:18.761+05:30 86 Started 7
23 2018-09-05T11:08:18.761+05:30 86 Serialnum 7
24 2018-09-05T11:08:41.907+05:30 86 7878 7
25 2018-09-05T11:08:42.071+05:30 86 7878 7
26 2018-09-05T11:09:04.068+05:30 86 8765 7
27 2018-09-05T11:09:26.877+05:30 86 8765 7
28 2018-09-05T11:09:41.845+05:30 86 8765 7
Labels (2)
0 Karma
Reply

Cat26
Loves-to-Learn Lots
‎05-11-2023 02:05 PM

I am not sure why Inspectioncount starts at1 instead if 0. 

Now if you see 26th row, Mac_Id changes from 7878 to 8765 and there is no "Serialnum" row between 7878 to 8765. Here if no "Serialnum" row there and macid changes, inspectioncount also  should change.

 

So expected inspection count is 8 here.

Can you please help me to modify the above query

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-12-2023 05:09 AM

I'm sorry, but I can't help with this question as it is currently written.  There are too many inconsistencies in the sample output so I can't figure out what logic to implement.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-11-2023 11:45 AM

The description does not match the SPL which doesn't match the output.

The SPL increments Inspection_Count each time the Mac_ID field contains the value "Serial num" [sic].  That means the Inspection_Count column should start at zero and increase by one at rows 2, 6, 9, 14, 16, 21, and 23.  I see nothing special about row 26.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...