How do you write a search for an incremental count...

karthikeyan_k14 · ‎10-12-2017

My output is

Success
Success
Success
Failure
Failure
Faliure
Success
Success
Success
Failure
Success
Success
Success
Success
Success
Success

I need count should be

Field1 count
Success 1
Success 1
Success 1
Failure 0
Failure 0
Faliure 0
Success 2
Success 2
Success 2
Failure 0
Success 3
Success 3
Success 3
Success 3
Success 3
Success 3
...
...
...
..

Success 15
Success 15
Failure 0
Success 16
Success 16
....... like wise

currently my query is .............streamstats count(eval (Field1="Success")) as count by Field1 rest_on_change=true | table Field count

DalJeanis · ‎10-12-2017

Here's what I generally do for that, assuming the Success or Failure field is called Field1.

| streamstats current=f last(Field1) as priorField1
| eval newgroup=case(Field1="Failure",null(),   isnull(priorField1),1,   priorField1!=Field1,1)
| streamstats sum(newgroup) as groupno by Field1
| Table Field1 groupno

How do you write a search for an incremental count for a field evaluating success vs. failure?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How do you write a search for an incremental count for a field evaluating success vs. failure?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...