Splunk Search

Consecutively two times- possible ?

reverse
Contributor
 _time                 entity_id    value      duration
 2016-01-21 06:52:04    lightA        1           770
 2016-01-21 06:52:09    lightB        1           765
 2016-01-21 06:52:10    lightC        1           769
 2016-01-21 07:04:54    lightB        0           664
 2016-01-21 07:04:54    lightA        0           663
 2016-01-21 07:04:59    lightC        0           9416
 2016-01-21 07:15:57    lightC        1           8776
 2016-01-21 07:15:58    lightB        1           8775

assuming above is the outcome of my query . I want to reduce this result to data where lightC came Consecutively in two rows back to back .. possible ?

Tags (1)
0 Karma

to4kawa
Ultra Champion
| stats count
| eval _raw="time,entity_id,value,duration
2016-01-21 06:52:04,lightA,1,770
2016-01-21 06:52:09,lightB,1,765
2016-01-21 06:52:10,lightC,1,769
2016-01-21 07:04:54,lightB,0,664
2016-01-21 07:04:54,lightA,0,663
2016-01-21 07:04:59,lightC,0,9416
2016-01-21 07:15:57,lightC,1,8776
2016-01-21 07:15:58,lightB,1,8775"
| multikv forceheader=1
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S")
`comment("this is sample data")`
| table _time,entity_id,value,duration
`comment("this is sample data")`
| where entity_id=="lightC" AND value==1

Hi, this is sample query.

_time   entity_id   value   duration
2016/01/21 06:52:10 lightC  1   769
2016/01/21 07:15:57 lightC  1   8776

Is this the result you expected?

0 Karma

arjunpkishore5
Motivator

Possible. However, since I don't have more details on what the final outcome is, I don't have a code sample.

Take a look at streamstats with the reset_on_change flag.
https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Streamstats

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...