Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a new column with incremental change based on another column?

KChaudhary
Explorer
‎08-27-2018 06:29 AM

Hello everyone, I am new to Splunk world and stuck with a query. Can you please help me find the solution for following problem.
I am trying to create a new column with a value which is increased by 1, if there is any change in limit column.

Here is the code that I tried :-

| sort localisation _time 
| streamstats range(_time) as Duration window=2 
| eval Duration1 = Duration/60 
| eval limit = if(Duration1 < 1,1,2) 
| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change

"Changes i get" is the column which is getting populated and "Expected changes" is what i am looking for. Every time the value in limit column changes, i want the column to increase values by 1 or else stay the same.

I tried the answer from this Post but its is not working for me

Limit   Change I get    ExpectedChange
1       0
1   0   0
2   1   1
2   0   1
1   1   2
2   1   3
1   1   4
2   1   5
1   1   6
2   1   7
1   1   8
2   1   9
2   0   9
2   0   9
2   0   9
2   0   9

Thank you in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

poete
Builder
‎08-29-2018 09:12 AM

Hello @KChaudhary,

here is the answer:

| makeresults
| eval sample="1,1,2,2,1,2,1,2,1,2,1,2,2,2,2,2"
| makemv delim="," sample
| mvexpand sample
| delta sample as diff
| eval diff=abs(diff)
| fillnull diff 
| accum diff as cum

View solution in original post

Reply
Solved! Jump to solution
Solution

poete
Builder
‎08-29-2018 09:12 AM

Hello @KChaudhary,

here is the answer:

| makeresults
| eval sample="1,1,2,2,1,2,1,2,1,2,1,2,2,2,2,2"
| makemv delim="," sample
| mvexpand sample
| delta sample as diff
| eval diff=abs(diff)
| fillnull diff 
| accum diff as cum
Reply
Solved! Jump to solution

KChaudhary
Explorer
‎08-30-2018 06:57 AM

Thank you very much. Its very neat. I am little worried about if the sample is not sequential as shown above and is something like 1,1,2,4,4,4,8,8,9,9,9,6,1,2, then difference could make it little more tricky.

with best regards
karan

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Top