Splunk Search

Count of consecutive like events.

topleyg
New Member

Hi all,

Is there a way to produce a count of consecutive like events in Splunk?

  • Example Logs

bookingEvent

bookingEvent

bookingEvent

bookingEvent

failureEvent

failureEvent

bookingEvent

bookingEvent

  • Example Desired Output

bookingEvent 4

failureEvent 2

bookingEvent 2

Tags (2)
0 Karma

KailA
Contributor

Hi,

Let's try something and tell me if it work.

If your field is TypeEvent

you search
| streamstats count as NbrOfConsecuviteEvents BY TypeEvent reset_on_change=true
| reverse
| streamstats count as nb BY TypeEvent reset_on_change=true
| where nb=1

Hope it helps

KailA

0 Karma

abhishekgupta61
Engager

Thanks for your help. It works for me.

0 Karma

HeinzWaescher
Motivator

Let's say your field is "eventName", try something like

 |  autoregress eventName
 |  eval consecutiveEvent=if(eventName_p1=eventName, 1, 0)
 | streamstats current=t count(eval(consecutiveEvent=0)) AS eventGroup
 |  stats values(eventName) AS eventName, count BY eventGroup
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

It would be best to assign each value to a field. Then you can do:

your_search | stats count by type_event

where type_event = bookingEvent OR type_event = failureEvent.

But just based on your raw data above, this should work:

your_search | rex field=_raw "(?<type_event>\w+)Event" | stats count by type_event

alacercogitatus
SplunkTrust
SplunkTrust

The other data might be needed to properly correlate these events.

0 Karma

abhishekgupta61
Engager

Hi,

I have similar issue and I have one more column Date with the column he shared.

Date : Status
1/1/2018 : Green
1/2/2018 : Green
1/3/2018 : Red
1/4/2018 : Green
1/5/2018 : Red

Desired result is :
Status : Count
Green : 2
Red : 1
Green : 1
Red : 1

0 Karma

topleyg
New Member

there is other data yes, i have simplified it for the purpose of this question.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Do you have any other data in the log?

0 Karma

topleyg
New Member

thanks alacercogitatus, this gives a count of all events over the time period which is not what I want. I want to produce a count of the consecutive like events.

0 Karma