Splunk Search

Count of consecutive like events.

topleyg
New Member

Hi all,

Is there a way to produce a count of consecutive like events in Splunk?

  • Example Logs

bookingEvent

bookingEvent

bookingEvent

bookingEvent

failureEvent

failureEvent

bookingEvent

bookingEvent

  • Example Desired Output

bookingEvent 4

failureEvent 2

bookingEvent 2

Tags (2)
0 Karma

KailA
Contributor

Hi,

Let's try something and tell me if it work.

If your field is TypeEvent

you search
| streamstats count as NbrOfConsecuviteEvents BY TypeEvent reset_on_change=true
| reverse
| streamstats count as nb BY TypeEvent reset_on_change=true
| where nb=1

Hope it helps

KailA

0 Karma

abhishekgupta61
Engager

Thanks for your help. It works for me.

0 Karma

HeinzWaescher
Motivator

Let's say your field is "eventName", try something like

 |  autoregress eventName
 |  eval consecutiveEvent=if(eventName_p1=eventName, 1, 0)
 | streamstats current=t count(eval(consecutiveEvent=0)) AS eventGroup
 |  stats values(eventName) AS eventName, count BY eventGroup
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

It would be best to assign each value to a field. Then you can do:

your_search | stats count by type_event

where type_event = bookingEvent OR type_event = failureEvent.

But just based on your raw data above, this should work:

your_search | rex field=_raw "(?<type_event>\w+)Event" | stats count by type_event

alacercogitatus
SplunkTrust
SplunkTrust

The other data might be needed to properly correlate these events.

0 Karma

abhishekgupta61
Engager

Hi,

I have similar issue and I have one more column Date with the column he shared.

Date : Status
1/1/2018 : Green
1/2/2018 : Green
1/3/2018 : Red
1/4/2018 : Green
1/5/2018 : Red

Desired result is :
Status : Count
Green : 2
Red : 1
Green : 1
Red : 1

0 Karma

topleyg
New Member

there is other data yes, i have simplified it for the purpose of this question.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Do you have any other data in the log?

0 Karma

topleyg
New Member

thanks alacercogitatus, this gives a count of all events over the time period which is not what I want. I want to produce a count of the consecutive like events.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...