How do you write a search for an incremental count...

karthikeyan_k14 · ‎10-12-2017

My output is

Success
Success
Success
Failure
Failure
Faliure
Success
Success
Success
Failure
Success
Success
Success
Success
Success
Success

I need count should be

Field1 count
Success 1
Success 1
Success 1
Failure 0
Failure 0
Faliure 0
Success 2
Success 2
Success 2
Failure 0
Success 3
Success 3
Success 3
Success 3
Success 3
Success 3
...
...
...
..

Success 15
Success 15
Failure 0
Success 16
Success 16
....... like wise

currently my query is .............streamstats count(eval (Field1="Success")) as count by Field1 rest_on_change=true | table Field count

DalJeanis · ‎10-12-2017

Here's what I generally do for that, assuming the Success or Failure field is called Field1.

| streamstats current=f last(Field1) as priorField1
| eval newgroup=case(Field1="Failure",null(),   isnull(priorField1),1,   priorField1!=Field1,1)
| streamstats sum(newgroup) as groupno by Field1
| Table Field1 groupno

How do you write a search for an incremental count for a field evaluating success vs. failure?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How do you write a search for an incremental count for a field evaluating success vs. failure?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?