_time entity_id value duration
2016-01-21 06:52:04 lightA 1 770
2016-01-21 06:52:09 lightB 1 765
2016-01-21 06:52:10 lightC 1 769
2016-01-21 07:04:54 lightB 0 664
2016-01-21 07:04:54 lightA 0 663
2016-01-21 07:04:59 lightC 0 9416
2016-01-21 07:15:57 lightC 1 8776
2016-01-21 07:15:58 lightB 1 8775
assuming above is the outcome of my query . I want to reduce this result to data where lightC came Consecutively in two rows back to back .. possible ?
| stats count
| eval _raw="time,entity_id,value,duration
2016-01-21 06:52:04,lightA,1,770
2016-01-21 06:52:09,lightB,1,765
2016-01-21 06:52:10,lightC,1,769
2016-01-21 07:04:54,lightB,0,664
2016-01-21 07:04:54,lightA,0,663
2016-01-21 07:04:59,lightC,0,9416
2016-01-21 07:15:57,lightC,1,8776
2016-01-21 07:15:58,lightB,1,8775"
| multikv forceheader=1
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S")
`comment("this is sample data")`
| table _time,entity_id,value,duration
`comment("this is sample data")`
| where entity_id=="lightC" AND value==1
Hi, this is sample query.
_time entity_id value duration
2016/01/21 06:52:10 lightC 1 769
2016/01/21 07:15:57 lightC 1 8776
Is this the result you expected?
Possible. However, since I don't have more details on what the final outcome is, I don't have a code sample.
Take a look at streamstats with the reset_on_change flag.
https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Streamstats