I have a boolean value in my data set. I want to group all event together that are between the event(a) right after a boolean value goes true all the way through to the next event(b) with a true value. So then the next grouping would start at the next event(c) (directly after the event(b)) and include every event through to the next event(d) with a true value, and so on.
My difficulties are coming from the fact that is is not actually based on a time field and the time between true events, constantly changes. Is it possible for this to be calculated on the fly, while doing a search. In the end, I would like to look at several of these groups to then use the predict command.
If I am not clear, please ask me to elaborate further. The question probably seems clearer in my head...
Sounds like what you want is the transaction
command, with the startswith=
set to detect your boolean true.
You could also do something like ...
| makeresults | eval mybool="T F F F T F T F T T F F F F T F" | makemv mybool | mvexpand mybool
| streamstats count as recno | eval _time = relative_time(now(),"-1h@h") + 60*recno
| rename COMMENT as "The above just generates some events with mybool=T or mybool=F."
| streamstats count(eval(mybool="T")) as setno
Each record will then have a value for setno based on the last event that mybool was true.
Hello,
If I understand correctly you want to calculate the time between the "true" events based on another field than the _time ?
You can do this, using the delta between the "true" events as follows:
| eval tDT= strptime(Your_Date_Field, "%F")
| delta tDT as t_diff
| eval t_diff = floor(t_diff / 86400)
| eval _time = strptime(Your_Date_Field, "%F")
| timechart span=7d values(t_diff) as values
This calculates the time between events in days, and displays the results in a timechart with span of 1 week (7 days).
Hope this helps.
Regards,
Ken.