Re: Collecting _time from a different event

strehb18 · ‎12-21-2020

Hello,

I am hoping this is easy and I am blanking. I have a data source the logs what work order is in station one. I am looking to get an offline_time based on when a work order reaches a certain station.

Ex
_time WO count

11:45 1231 1

11:40 1232 2

11:35 1233 3
11:30 1234 4 ..... etc

So the _time is when the work starts and when count reaches a certain number, the work order would be done on the line(count would equal 35 in my case) . I would like to collect the _time of what is in count=1 when the count reaches 35.

Thanks.

renjith_nair · ‎12-21-2020

you may use stats/eventstats with eval

Please try this run anywhere example. It injects the time of first event in every event. Let's know what's your final expected result

|makeresults count=35|streamstats count
|eval _time=_time+count*5|eval wo="order_".count
|eventstats first(eval(if(count==1,_time,null()))) as starting_time

---
What goes around comes around. If it helps, hit it with Karma 🙂

strehb18 · ‎12-22-2020

This works for when looking at one specific record. What I am looking for is to record the _time when a work order reaches at specific count number. I would like to record the _time when a WO hits count=6, count= 12, count = 18.... etc to record when the work order hits certain spots on the count. The problem is my dataset records them just when they begin the work order.

So ideally, I'd have the time at specific count numbers, but the only way I can tell when that time would be is by when the most recent one starts.

renjith_nair · ‎12-22-2020

Ok, how do you know that the WO hits that count? Or is that defined? Using the previous dummy search, could you please point out the values manually and the steps to decide the count number?

Thanks!

---
What goes around comes around. If it helps, hit it with Karma 🙂

strehb18 · ‎12-23-2020

So I guess that is what my problem is. After the next event is added, the count changes. I could make it static but then wouldn't be able to tell when events are at certain spots. So I was wondering how to log a time when each event reaches the count of a certain number.

So something like, looking at two different scenarios where we collect the _time when a count reaches 3.

_time WO Count time_to_log
9:15 1234 1

9:00 1233 2

8:45 1232 3 9:15

8:30 1231 4 9:00

Next Event comes

_time WO Count time_to_log

9:30 1235 1

9:15 1234 2

9:00 1233 3 9:30

8:45 1232 4 9:15

8:30 1231 5 9:00

renjith_nair · ‎12-27-2020

Ok, if you know the counter, 3 in our case, you may try this

|makeresults count=5|streamstats count as _int
|eval _time=_time+_int*600|eval wo="order_"._int
|reverse
|streamstats count
|rename COMMENT as "Created dummy events above and set the counter below" 
|eval COUNTER=3
|eventstats values(_time) as _time_list
|eval my_time=mvindex(_time_list,-(count-(COUNTER-1)))
|convert ctime(my_time) as my_time
|eval my_time=if(count < COUNTER,null(),my_time)

You can play around by changing count=5 to another values and also the COUNTER=3 to other values

---
What goes around comes around. If it helps, hit it with Karma 🙂

Collecting _time from a different event

eval

fields

stats

table

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...