Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine events with counting?

rendie
Path Finder
‎06-16-2021 04:25 AM

Hi folks,

Just a quick question. For example, a have a dataset

_timefield_xfield_y
14:0100
14:0201
14:0302
14:0413
14:0510
14:0600
14:0711
14:0810

 

If describe this logic in text: field_x is a random number 0 or 1. field_y is how many 0 was in previous events for field_x.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-16-2021 10:57 AM

@rendie 

Can you please try this?

YOUR_SEARCH | sort _time | table _time field_x 
| autoregress field_x as pre p=1 | eval A=if(pre=0,1,null()) | accum A | streamstats list(A) as Z | eval AA = if(isnull(A) and mvcount(Z)>0,mvcount(Z),null()) | filldown AA | fillnull value="0" AA | eval field_y=A-AA
| table _time field_x field_y

 

My Sample Search :

| makeresults 
| eval _raw="_time	field_x	
14:01	0	0
14:02	0	1
14:03	0	2
14:04	1	3
14:05	1	0
14:06	0	0
14:07	0	1
14:08	1	0
14:09	0	0
14:10	1	0
14:11	0	0
14:12	0	0
14:13	0	0
14:14	0	0
14:15	1	0
14:16	0	0
14:17	0	0
14:18	1	0
" 
| multikv forceheader=1 
| eval t = 100 | accum t | eval _time = _time + t | sort _time | table _time field_x 
| autoregress field_x as pre p=1 | eval A=if(pre=0,1,null()) | accum A | streamstats list(A) as Z | eval AA = if(isnull(A) and mvcount(Z)>0,mvcount(Z),null()) | filldown AA | fillnull value="0" AA | eval field_y=A-AA
| table _time field_x field_y

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

rendie
Path Finder
‎06-18-2021 02:13 AM

I'm sorry if my question was not complete. The fact is that initially, I do not have an X field, I create it using | eval field_x = if(fieldValue >= fieldThreshold, 1, 0)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2021 06:04 AM

I changed field_x to As and Bs to show that non-numerics can be dealt with, you just need to compare to one of the values. I recreated field_y and field_z so you can see the process matches your requirement.

| makeresults
| eval _raw="_time	field_x	field_y
14:01	A	0
14:02	A	1
14:03	A	2
14:04	B	3
14:05	B	0
14:06	A	0
14:07	B	1
14:08	B	0"
| multikv forceheader=1
| fields - _* linecount
| streamstats window=1 current=f values(field_x) as previous
| eval previous_match=if(previous="A",1,0)
| streamstats window=1 current=f values(previous_match) as previous
| eval groupstart=if(previous_match=1 AND previous=0,1,0)
| streamstats sum(groupstart) as group
| eval group=if(previous_match=1,group,null)
| streamstats sum(previous_match) as field_z by group
| fillnull value=0 field_z

 

0 Karma
Reply

rendie
Path Finder
‎06-18-2021 02:14 AM

I'm sorry if my question was not complete. The fact is that initially, I do not have an X field, I create it using | eval field_x = if(fieldValue >= fieldThreshold, 1, 0).

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...