Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counter for when event occurs one or more times

cpeteman
Contributor
‎07-07-2013 04:27 PM

I want to set up a search for when an event occurs one or more times in a minute (just whether or not it occurred not the total count). This along with sum stats functions I'll use to figure out whether or not an event is a regular check or an anomaly. As in if the stdev is zero and the sum is high and I need to check to see if there has been many events, implying that they are a regular message, or a single event implying that there is a problem.

More detail:

I have all results in a table by punct with relevant stats listed and I want one of those relevant fields to be a variable that checks whether or not an event occurred in a minute (regardless of how many times) adds those up over the entire search time and put it in the same row as that punct. Hope this makes every thing more clear.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-08-2013 10:33 AM 
... | bucket _time span=1m | stats count by _time,punct | eval occurred=if(count!=0,1,0) | stats sum(occurred) by punct

or

... | bucket _time span=1m | stats count by _time,punct | stats sum(eval(if(count!=0,1,0))) by punct

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-08-2013 10:33 AM 
... | bucket _time span=1m | stats count by _time,punct | eval occurred=if(count!=0,1,0) | stats sum(occurred) by punct

or

... | bucket _time span=1m | stats count by _time,punct | stats sum(eval(if(count!=0,1,0))) by punct
Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-08-2013 10:44 AM

They appear to both work as desired thanks a bunch!

Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-08-2013 10:35 AM

I like it. I have the: "| bucket _time span=1m | stats count by _time,punct |" part already. I'll let you know how it works

Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-08-2013 10:11 AM

Not quite but It sounds like a good place to start (except I don't plan on this being an alert really...) so I will take a look. I added a lot more to the question to make it more clear I hope.

Reply
Solved! Jump to solution

linu1988
Champion
‎07-08-2013 09:38 AM

From your case i suspect it will be a realtime thing. Put your search and schedule it from "rt - 1m" to "rt". It will keep searching the time window. If the case satisfies you can set up an alert. Hope i understand it correctly. Thanks

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...