Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Consecutive events by field - only show points in time where number of such events equals 5

isvaljek
New Member
‎02-11-2019 03:43 AM

I'm trying to find points in time where a consecutive event happens 5 times in a row.
I currently have this query:

partner_id=9991| streamstats count BY timeout reset_on_change=true  | table timeout, count, _time

But it shows both timeout combinations and their increasing count.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 12:21 AM

Can't you just add | where count==5?

0 Karma
Reply

renjith_nair
Legend
‎02-11-2019 09:47 PM

@isvaljek ,

If you just want one event where number equals 5 use |where count=5

partner_id=9991| streamstats count BY timeout reset_on_change=true  | table timeout, count, _time|where count=5

If you want all the events which are contributing to the consecutive events (ie, event 1 to event 5(n)), try below

partner_id=9991|streamstats last(timeout) as prev window=1 current=f|eval flag=if(timeout==prev OR isnull(prev),0,1)
|accum flag|eventstats count by flag|where count>=5
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...