Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Count of consecutive like events.

topleyg
New Member
‎10-29-2013 02:16 AM

Hi all,

Is there a way to produce a count of consecutive like events in Splunk?

  • Example Logs

bookingEvent

bookingEvent

bookingEvent

bookingEvent

failureEvent

failureEvent

bookingEvent

bookingEvent

  • Example Desired Output

bookingEvent 4

failureEvent 2

bookingEvent 2

Tags (2)
0 Karma
Reply

KailA
Contributor
‎07-20-2018 08:58 AM

Hi,

Let's try something and tell me if it work.

If your field is TypeEvent

you search
| streamstats count as NbrOfConsecuviteEvents BY TypeEvent reset_on_change=true
| reverse
| streamstats count as nb BY TypeEvent reset_on_change=true
| where nb=1

Hope it helps

KailA

0 Karma
Reply

abhishekgupta61
Engager
‎07-24-2018 07:28 AM

Thanks for your help. It works for me.

0 Karma
Reply

HeinzWaescher
Motivator
‎07-20-2018 06:45 AM

Let's say your field is "eventName", try something like

 |  autoregress eventName
 |  eval consecutiveEvent=if(eventName_p1=eventName, 1, 0)
 | streamstats current=t count(eval(consecutiveEvent=0)) AS eventGroup
 |  stats values(eventName) AS eventName, count BY eventGroup
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-29-2013 04:13 AM

It would be best to assign each value to a field. Then you can do:

your_search | stats count by type_event

where type_event = bookingEvent OR type_event = failureEvent.

But just based on your raw data above, this should work:

your_search | rex field=_raw "(?<type_event>\w+)Event" | stats count by type_event

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-29-2013 05:39 AM

The other data might be needed to properly correlate these events.

0 Karma
Reply

abhishekgupta61
Engager
‎07-20-2018 06:03 AM

Hi,

I have similar issue and I have one more column Date with the column he shared.

Date : Status
1/1/2018 : Green
1/2/2018 : Green
1/3/2018 : Red
1/4/2018 : Green
1/5/2018 : Red

Desired result is :
Status : Count
Green : 2
Red : 1
Green : 1
Red : 1

0 Karma
Reply

topleyg
New Member
‎10-29-2013 05:21 AM

there is other data yes, i have simplified it for the purpose of this question.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-29-2013 04:48 AM

Do you have any other data in the log?

0 Karma
Reply

topleyg
New Member
‎10-29-2013 04:45 AM

thanks alacercogitatus, this gives a count of all events over the time period which is not what I want. I want to produce a count of the consecutive like events.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...