Splunk Search

Collecting _time from a different event

Path Finder


I am hoping this is easy and I am blanking. I have a data source the logs what work order is in station one. I am looking to get an offline_time based on when a work order reaches a certain station. 

_time             WO         count

11:45             1231             1

11:40             1232              2 

11:35             1233              3 
11:30             1234              4 ..... etc

So the _time is when the work starts and when count reaches a certain number, the work order would be done on the line(count would equal 35 in my case) . I would like to collect the _time of what is in count=1 when the count reaches 35. 


Labels (4)
0 Karma


you may use stats/eventstats with eval

Please try this run anywhere example. It injects the time of first event in every event. Let's know what's your final expected result

|makeresults count=35|streamstats count
|eval _time=_time+count*5|eval wo="order_".count
|eventstats first(eval(if(count==1,_time,null()))) as starting_time


0 Karma

Path Finder

This works for when looking at one specific record. What I am looking for is to record the _time when a work order reaches at specific count number. I would like to record the _time when a WO hits count=6, count= 12, count = 18.... etc to record when  the work order hits certain spots on the count. The problem is my dataset records them just when they begin the work order. 


So ideally, I'd have the time at specific count numbers, but the only way I can tell when that time would be is by when the most recent one starts. 

0 Karma


Ok, how do you know that the WO hits that count? Or is that defined? Using the previous dummy search, could you please point out the values manually and the steps to decide the count number?


0 Karma

Path Finder

So I guess that is what my problem is. After the next event is added, the count changes. I could make it static but then wouldn't be able to tell when events are at certain spots. So I was wondering how to log a time when each event reaches the count of a certain number. 

So something like, looking at two different scenarios where we collect the _time when a count reaches 3. 

_time        WO     Count    time_to_log
9:15         1234        1                

9:00         1233        2 

8:45          1232       3                9:15

8:30          1231       4                9:00


Next Event comes

_time      WO      Count      time_to_log

9:30        1235         1           

9:15        1234         2 

9:00         1233        3              9:30

8:45         1232        4              9:15

8:30         1231        5              9:00 

0 Karma


Ok, if you know the counter, 3 in our case, you may try this

|makeresults count=5|streamstats count as _int
|eval _time=_time+_int*600|eval wo="order_"._int
|streamstats count
|rename COMMENT as "Created dummy events above and set the counter below" 
|eval COUNTER=3
|eventstats values(_time) as _time_list
|eval my_time=mvindex(_time_list,-(count-(COUNTER-1)))
|convert ctime(my_time) as my_time
|eval my_time=if(count < COUNTER,null(),my_time)

You can play around by changing count=5 to another values and also the COUNTER=3 to other values


0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!