Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count Max Sub-sequence of identical numbers?

avivn
Explorer
‎02-26-2018 05:13 AM

Hello ,

I need to calculate the maximum length of identical numbers
for example : 0,0,0,0,0,1,0,1,1,0,0 and search for the sequence of 0, the result should be 7 in this case

Anyone have any ideas how this could be accomplished?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-26-2018 07:19 AM

I used the data you supplied in your example to populate a little table with a single row/field called digit. If we didn't have to account for wrapping around the end of the list (the way you get to 7 in your example), it would be really straightforward. But here's a code snippet that achieves what you laid out:

| makeresults 
| eval digit="0,0,0,0,0,1,0,1,1,0,0" 
| makemv delim="," digit 
| mvexpand digit 
| fields - _time 
| streamstats count BY digit reset_on_change=true 
| eventstats first(digit) AS first_digit, last(digit) AS last_digit 
| eventstats max(count) AS max_count BY digit 
| eventstats last(count) AS final_count 
| eval total_count=if(first_digit=last_digit AND first_digit=digit, max_count+final_count, max_count) 
| fields digit, total_count

You can adjust it for other digit lists by adjusting the second line - or customize it to match your data source by editing/removing the first five lines.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-26-2018 07:19 AM

I used the data you supplied in your example to populate a little table with a single row/field called digit. If we didn't have to account for wrapping around the end of the list (the way you get to 7 in your example), it would be really straightforward. But here's a code snippet that achieves what you laid out:

| makeresults 
| eval digit="0,0,0,0,0,1,0,1,1,0,0" 
| makemv delim="," digit 
| mvexpand digit 
| fields - _time 
| streamstats count BY digit reset_on_change=true 
| eventstats first(digit) AS first_digit, last(digit) AS last_digit 
| eventstats max(count) AS max_count BY digit 
| eventstats last(count) AS final_count 
| eval total_count=if(first_digit=last_digit AND first_digit=digit, max_count+final_count, max_count) 
| fields digit, total_count

You can adjust it for other digit lists by adjusting the second line - or customize it to match your data source by editing/removing the first five lines.

0 Karma
Reply
Solved! Jump to solution

avivn
Explorer
‎02-26-2018 10:13 PM

thank you it works !

0 Karma
Reply
Solved! Jump to solution

bjoernhansen
Path Finder
‎02-26-2018 06:09 AM

Can you give more examples to this? I can't see how you would get to 7 based on that data - maybe I'm missing something?

0 Karma
Reply
Solved! Jump to solution

avivn
Explorer
‎02-26-2018 06:17 AM

because i want to count the sequence of zeroes the sequence goes like this:

the values:0,0,0,0,0,1,0,1,1,0,0,
the result : 3,4,5,6,7,-, 1,- ,-,1,2

the zeros at the start continues the zeroes at the end
each value is in a different row same column

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
li.common.scroll-to.top