Solved: Re: get max value before becoming zero and last va...

ips_mandar · ‎12-16-2020

Hi I have below sample data

|makeresults|eval a="1"
|append[|makeresults|eval a="2"]|append[|makeresults|eval a="3"]|append[|makeresults|eval a="4"]|append[|makeresults|eval a="0"]|append[|makeresults|eval a="2"]|append[|makeresults|eval a="4"]|append[|makeresults|eval a="6"]|append[|makeresults|eval a="8"]

Here `a` field values increases and again get to zero and again increases. I want to find max value before getting it to zero also if zero not occurs at last then last value as well .Then I need to sum it up.
so for above sample data I want value 4 and value 8 should be retrieved so that I can sum them to get 4+8=12 as final result.

Thanks,

renjith_nair · ‎12-17-2020

@ips_mandar,

Try this and let me know. Last 3 lines of the search is actual logic and rest is data simulation

| makeresults 
| eval a="1",source="file1" 
| append 
    [| makeresults 
    | eval a="2",source="file1"] 
| append 
    [| makeresults 
    | eval a="3",source="file1"] 
| append 
    [| makeresults 
    | eval a="4",source="file1"] 
| append 
    [| makeresults 
    | eval a="0",source="file1"] 
| append 
    [| makeresults 
    | eval a="2",source="file1"] 
| append 
    [| makeresults 
    | eval a="4",source="file1"] 
| append 
    [| makeresults 
    | eval a="6",source="file1"] 
| append 
    [| makeresults 
    | eval a="8",source="file1"] 
| append 
    [| makeresults 
    | eval a="2",source="file2"] 
| append 
    [| makeresults 
    | eval a="3",source="file2"] 
| append 
    [| makeresults 
    | eval a="0",source="file2"] 
| append 
    [| makeresults 
    | eval a="2",source="file2"] 
| append 
    [| makeresults 
    | eval a="0",source="file2"] 
| append 
    [| makeresults 
    | eval a="2",source="file2"] 
| append 
    [| makeresults 
    | eval a="4",source="file2"] 
| eval counter=if(a==0,1,0) 
| streamstats global=true sum(counter) as group by source 
| stats max(a) as a  by group,source|sort source|fields - group

Happy Splunking!

View solution in original post

ips_mandar · ‎12-16-2020

@renjith_nair Thanks for your answer. Sorry I haven't mention in question that this data is present in one file and I have hundreds of file. so I want the result by source for each file separately.
hence above solution will not work.

renjith_nair · ‎12-17-2020

Possible to simulate the sample data and expected output?

Similar logic could be applied with minor changes and adding the required field to group by

Happy Splunking!

ips_mandar · ‎12-17-2020

@renjith_nair I tried with by clause for accum command but it does not support ..so is there any other way to achieve by clause
Thanks

ips_mandar · ‎12-17-2020

@renjith_nair
for ex. source="file1.txt" contain below data

a	source
1	file1.txt
2	file1.txt
3	file1.txt
4	file1.txt
0	file1.txt
5	file1.txt
8	file1.txt

and another source="file2.txt"

a	source
2	file2.txt
3	file2.txt
0	file2.txt
2	file2.txt
0	file2.txt
2	file2.txt
4	file2.txt

From above two sample file it should extract below -

a	source
4	file1.txt
8	file1.txt
3	file2.txt
2	file2.txt
4	file2.txt

Could you please explain what logic can be applied to group by source

renjith_nair · ‎12-17-2020

@ips_mandar,

Try this and let me know. Last 3 lines of the search is actual logic and rest is data simulation

| makeresults 
| eval a="1",source="file1" 
| append 
    [| makeresults 
    | eval a="2",source="file1"] 
| append 
    [| makeresults 
    | eval a="3",source="file1"] 
| append 
    [| makeresults 
    | eval a="4",source="file1"] 
| append 
    [| makeresults 
    | eval a="0",source="file1"] 
| append 
    [| makeresults 
    | eval a="2",source="file1"] 
| append 
    [| makeresults 
    | eval a="4",source="file1"] 
| append 
    [| makeresults 
    | eval a="6",source="file1"] 
| append 
    [| makeresults 
    | eval a="8",source="file1"] 
| append 
    [| makeresults 
    | eval a="2",source="file2"] 
| append 
    [| makeresults 
    | eval a="3",source="file2"] 
| append 
    [| makeresults 
    | eval a="0",source="file2"] 
| append 
    [| makeresults 
    | eval a="2",source="file2"] 
| append 
    [| makeresults 
    | eval a="0",source="file2"] 
| append 
    [| makeresults 
    | eval a="2",source="file2"] 
| append 
    [| makeresults 
    | eval a="4",source="file2"] 
| eval counter=if(a==0,1,0) 
| streamstats global=true sum(counter) as group by source 
| stats max(a) as a  by group,source|sort source|fields - group

Happy Splunking!

ips_mandar · ‎12-17-2020

Thanks @renjith_nair I am using the same query already but it runs very slow ..
streamstats vs accum --> accum command runs very fast but the disadvantage is that it does not group by arguments. thanks.

renjith_nair · ‎12-16-2020

Try

| makeresults 
| eval a="1" 
| append 
    [| makeresults 
    | eval a="2"] 
| append 
    [| makeresults 
    | eval a="3"] 
| append 
    [| makeresults 
    | eval a="4"] 
| append 
    [| makeresults 
    | eval a="0"] 
| append 
    [| makeresults 
    | eval a="2"] 
| append 
    [| makeresults 
    | eval a="4"] 
| append 
    [| makeresults 
    | eval a="6"] 
| append 
    [| makeresults 
    | eval a="8"] 
| eval counter=if(a==0,1,0) 
| accum counter as group 
| stats max(a) as max_a by group

Happy Splunking!

get max value before becoming zero and last value

using Splunk Enterprise

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!