Solved: Create a new field with cumulative count of a uniq...

keithyap · ‎10-29-2015

IS there a way I can create a new field with a cumulative count of a unique ID?

For example, currently i have created a transaction which groups events together as "trips", however I would like to give each trip a number.

below is an example of what I am trying to acheive:
initially after using the transaction, the events will look like below. Each transaction event will have a unique vehicle ID, duration of trip and distance travelled.

vehID,Duration,Distance
1,30,40
1,20,30
2,30,40
3,20,30
3,40,50
3,50,60

I would like to add a cumulative count to act as a Trip Number.
vehID,Duration,Distance,tripNo
1,30,40,1
1,20,30,2
2,30,40,1
3,20,30,1
3,40,50,2
3,50,60,3

Could anyone advise how I could achieve the above?

Thanks!

aholzer · ‎10-30-2015

Use streamstats command:

<your_search> | streamstats count AS tripNo by vehID

Hope this helps

View solution in original post

aholzer · ‎10-30-2015

Use streamstats command:

<your_search> | streamstats count AS tripNo by vehID

Hope this helps

keithyap · ‎11-01-2015

Thanks! that helped.

Create a new field with cumulative count of a unique ID

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

Create a new field with cumulative count of a unique ID

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps