Splunk Search

Count values changes only when value in a column changes

nabeel652
Builder

Hello wonderful Splunk community,


I have some data where I want count to change only when status changes:

Status   Count
-------------------
Online      1
Online      1
Online     1
Break      2
Break       2
Online       3
Online       3
Lunch       4
Lunch        4
Lunch       4
Offline     5
Offline    5

Any help appreciated. 

Labels (5)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652 ,

ok, please try this:

<your_search>
| autoregress status as status_old p=1
| table _time status status_old
| eval NO=0
| foreach NO
     [ eval NO=if(status=status_old,NO,NO+1)]
| accum NO

that I tested (and runs) in this way:

| makeresults | eval _raw= "Online      1"
| append [ | makeresults | eval _raw= "Online      1"]
| append [ | makeresults | eval _raw= "Online     1"]
| append [ | makeresults | eval _raw= "Break      2"]
| append [ | makeresults | eval _raw= "Break       2"]
| append [ | makeresults | eval _raw= "Online       3"]
| append [ | makeresults | eval _raw= "Online       3"]
| append [ | makeresults | eval _raw= "Lunch       4"]
| append [ | makeresults | eval _raw= "Lunch        4"]
| append [ | makeresults | eval _raw= "Lunch       4"]
| append [ | makeresults | eval _raw= "Offline     5"]
| append [ | makeresults | eval _raw= "Offline    5"]
| rex "^(?<status>\w+)"
| autoregress status as status_old p=1
| table _time status status_old
| eval NO=0
| foreach NO
     [ eval NO=if(status=status_old,NO,NO+1)]
| accum NO

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652 ,

if you already extracted the status field, you could try something like this:

<your_search>
| autoregress status as status_old p=1
| table _time status status_old
| where NOT status=status_old

Ciao.

Giuseppe

0 Karma

nabeel652
Builder

Thank you for the reply 🙂

I was able to achieve the same with


| streamstats reset_on_change=true count by Activity
| where count==1

But I want a count field that just increments when it senses a change in status.
so I can do my 
| stats earliest(_time) as startTime, latest(_time) as endTime by status, count
or something like that...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652 ,

did you tried with accum?

<your_search>
| autoregress status as status_old p=1
| table _time status status_old
| where NOT status=status_old
| eval NO=1 
| accum NO

Ciao.

Giuseppe

0 Karma

nabeel652
Builder

Thank you

I don't want to omit any records. This sort of gives me the required results but records are missing which I don't want. I want same number of rows after the solution is applied. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652 ,

ok, please try this:

<your_search>
| autoregress status as status_old p=1
| table _time status status_old
| eval NO=0
| foreach NO
     [ eval NO=if(status=status_old,NO,NO+1)]
| accum NO

that I tested (and runs) in this way:

| makeresults | eval _raw= "Online      1"
| append [ | makeresults | eval _raw= "Online      1"]
| append [ | makeresults | eval _raw= "Online     1"]
| append [ | makeresults | eval _raw= "Break      2"]
| append [ | makeresults | eval _raw= "Break       2"]
| append [ | makeresults | eval _raw= "Online       3"]
| append [ | makeresults | eval _raw= "Online       3"]
| append [ | makeresults | eval _raw= "Lunch       4"]
| append [ | makeresults | eval _raw= "Lunch        4"]
| append [ | makeresults | eval _raw= "Lunch       4"]
| append [ | makeresults | eval _raw= "Offline     5"]
| append [ | makeresults | eval _raw= "Offline    5"]
| rex "^(?<status>\w+)"
| autoregress status as status_old p=1
| table _time status status_old
| eval NO=0
| foreach NO
     [ eval NO=if(status=status_old,NO,NO+1)]
| accum NO

Ciao.

Giuseppe

nabeel652
Builder

I was able to do it by some other way but your solution is cleaner and elegant. Thanks for the help 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...