- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I create a new column with incremental chan...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone, I am new to Splunk world and stuck with a query. Can you please help me find the solution for following problem.
I am trying to create a new column with a value which is increased by 1, if there is any change in limit column.
Here is the code that I tried :-
| sort localisation _time
| streamstats range(_time) as Duration window=2
| eval Duration1 = Duration/60
| eval limit = if(Duration1 < 1,1,2)
| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change
"Changes i get" is the column which is getting populated and "Expected changes" is what i am looking for. Every time the value in limit column changes, i want the column to increase values by 1 or else stay the same.
I tried the answer from this Post but its is not working for me
Limit Change I get ExpectedChange
1 0
1 0 0
2 1 1
2 0 1
1 1 2
2 1 3
1 1 4
2 1 5
1 1 6
2 1 7
1 1 8
2 1 9
2 0 9
2 0 9
2 0 9
2 0 9
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @KChaudhary,
here is the answer:
| makeresults
| eval sample="1,1,2,2,1,2,1,2,1,2,1,2,2,2,2,2"
| makemv delim="," sample
| mvexpand sample
| delta sample as diff
| eval diff=abs(diff)
| fillnull diff
| accum diff as cum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @KChaudhary,
here is the answer:
| makeresults
| eval sample="1,1,2,2,1,2,1,2,1,2,1,2,2,2,2,2"
| makemv delim="," sample
| mvexpand sample
| delta sample as diff
| eval diff=abs(diff)
| fillnull diff
| accum diff as cum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much. Its very neat. I am little worried about if the sample is not sequential as shown above and is something like 1,1,2,4,4,4,8,8,9,9,9,6,1,2, then difference could make it little more tricky.
with best regards
karan
Observability | How to Think About Instrumentation Overhead (White Paper)
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
The Great Resilience Quest: 10th Leaderboard Update
