Splunk Search
Highlighted

Group events that occur continuously and contain a common name

Path Finder

I would like to group continuous events that occur in order over time, and have a common name.

For example:

_time name
2016-09-05 10:15:36.691 A
2016-09-05 10:15:32.519 B
2016-09-05 10:15:22.708 C
2016-09-05 10:10:37.374 C
2016-09-05 10:10:25.848 B
2016-09-05 10:10:08.099 B
2016-09-05 10:10:03.349 B
2016-09-05 10:09:31.304 A
2016-09-05 10:09:16.339 A
2016-09-05 10:09:07.415 A

Would yield:
_time name count
2016-09-05 10:15:36.691 A 1
2016-09-05 10:15:32.519 B 1
2016-09-05 10:15:22.708 C 2
2016-09-05 10:10:25.848 B 3
2016-09-05 10:09:31.304 A 3

Stats and transaction seem to work over all events in a stream, and I haven't found an obvious was to cluster based on the continuous nature of the data.

Thanks in advance

Tags (3)
0 Karma
Highlighted

Re: Group events that occur continuously and contain a common name

SplunkTrust
SplunkTrust

If the splunk version is 6.4 or above , try this

|streamstats count as sc by name reseton_change=true current=t

0 Karma
Highlighted

Re: Group events that occur continuously and contain a common name

SplunkTrust
SplunkTrust

Try like this

your base search | streamstats current=f window=1 values(name) prev | eval temp=case(isnull(prev),1,prev!=name,1,true(),0) | accum temp| eventstats count by temp | fields - temp
0 Karma