Does anyone have an example of how to use:
reset_after="(" < eval-expression > ")"
reset_before="(" < eval-expression > ")"
For example, I would like to try something to the effects of:
_time , shift , count
11/1/16 5:11:00.000 PM, DAY, 1
11/1/16 5:12:00.000 PM, DAY, 2
11/1/16 5:13:00.000 PM, NIGHT, 1
11/1/16 5:14:00.000 PM, NIGHT, 2
11/1/16 5:15:00.000 PM, NIGHT, 1
11/1/16 5:16:00.000 PM, NIGHT, 2
11/1/16 5:17:00.000 PM, DAY, 1
11/1/16 5:18:00.000 PM, NIGHT, 3
where the value of eval-expression would be reset after 11/1/16 5:14:00.000 PM (in epoch format or else) in this case.
Thank you thank you!
Double quotes in the evaluation expression within reset_before or reset_after should be escaped with backslash (\). Since you are switching by static time in this case you don't need by shift as a streamstats split field.
base_search | eval Time=strftime(_time,"%m/%d/%y %H:%M:%S.%3N %p") | streamstats count as shift reset_after="("match(Time,\"11/01/16 05:14:00.000 AM\")")"
So I had a bit of a play around with this data set. I got part way to the answer. When I converted the timestamp to epoch it seemed to give the expected result using the following:
base_search | eval Time=_time | streamstats count by shift reset_on_change="Time=1478020440"
However when trying to use the _time field, it did not give the same result. I also had problems when using strings in general. Perhaps you can only use numbers?? Anyone else have a solution for use where the field value is a string?