Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Collecting _time from a different event

strehb18
Path Finder
‎12-21-2020 01:07 PM

Hello,

I am hoping this is easy and I am blanking. I have a data source the logs what work order is in station one. I am looking to get an offline_time based on when a work order reaches a certain station. 

Ex 
_time             WO         count

11:45             1231             1

11:40             1232              2 

11:35             1233              3 
11:30             1234              4 ..... etc

So the _time is when the work starts and when count reaches a certain number, the work order would be done on the line(count would equal 35 in my case) . I would like to collect the _time of what is in count=1 when the count reaches 35. 

Thanks. 

Labels (4)
Labels
0 Karma
Reply

renjith_nair
Legend
‎12-21-2020 06:17 PM

you may use stats/eventstats with eval

Please try this run anywhere example. It injects the time of first event in every event. Let's know what's your final expected result

|makeresults count=35|streamstats count
|eval _time=_time+count*5|eval wo="order_".count
|eventstats first(eval(if(count==1,_time,null()))) as starting_time

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

strehb18
Path Finder
‎12-22-2020 12:26 PM

This works for when looking at one specific record. What I am looking for is to record the _time when a work order reaches at specific count number. I would like to record the _time when a WO hits count=6, count= 12, count = 18.... etc to record when  the work order hits certain spots on the count. The problem is my dataset records them just when they begin the work order. 

 

So ideally, I'd have the time at specific count numbers, but the only way I can tell when that time would be is by when the most recent one starts. 

0 Karma
Reply

renjith_nair
Legend
‎12-22-2020 07:20 PM

Ok, how do you know that the WO hits that count? Or is that defined? Using the previous dummy search, could you please point out the values manually and the steps to decide the count number?

Thanks!

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

strehb18
Path Finder
‎12-23-2020 07:21 AM

So I guess that is what my problem is. After the next event is added, the count changes. I could make it static but then wouldn't be able to tell when events are at certain spots. So I was wondering how to log a time when each event reaches the count of a certain number. 

So something like, looking at two different scenarios where we collect the _time when a count reaches 3. 

_time        WO     Count    time_to_log
9:15         1234        1                

9:00         1233        2 

8:45          1232       3                9:15

8:30          1231       4                9:00

 

Next Event comes

_time      WO      Count      time_to_log

9:30        1235         1           

9:15        1234         2 

9:00         1233        3              9:30

8:45         1232        4              9:15

8:30         1231        5              9:00 

0 Karma
Reply

renjith_nair
Legend
‎12-27-2020 07:46 PM

Ok, if you know the counter, 3 in our case, you may try this

|makeresults count=5|streamstats count as _int
|eval _time=_time+_int*600|eval wo="order_"._int
|reverse
|streamstats count
|rename COMMENT as "Created dummy events above and set the counter below" 
|eval COUNTER=3
|eventstats values(_time) as _time_list
|eval my_time=mvindex(_time_list,-(count-(COUNTER-1)))
|convert ctime(my_time) as my_time
|eval my_time=if(count < COUNTER,null(),my_time)

You can play around by changing count=5 to another values and also the COUNTER=3 to other values

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...