Solved: Re: How to count events with specified id, if ther...

tgdvopab · ‎08-30-2016

Hello

I would like to make a search for a SLA who does the following: (id 700 is ok, 702 is nok)

Count number of events if there are three nok events (702) successively

Example:

700, 700, 702, 702, 700, 702 should count as 0, because there aren't three events with id 702 successively
700, 702, 702, 702, 700, 700 should count as 1, because there are three events with id 702 successively

How can I do that?
Thanks for your help!

gfuente · ‎08-30-2016

Hello

You could use streamstats to sum the SLA values in groups of 3 values, and if the sum reaches 2112 (3 * 704) then thats what you need.

your base search ...| streamstats window=3 sum(SLA) as alarm | where alarm="2112" | table _time, SLA, alarm

Regards

View solution in original post

inventsekar · ‎08-30-2016

assuming the same format, maybe, we can do a rex for "702, 702, 702"

your base search | rex field=_raw "(?<SLA>702, 702, 702)" | table SLA, _raw _time

gfuente · ‎08-30-2016

Hello

You could use streamstats to sum the SLA values in groups of 3 values, and if the sum reaches 2112 (3 * 704) then thats what you need.

your base search ...| streamstats window=3 sum(SLA) as alarm | where alarm="2112" | table _time, SLA, alarm

Regards

tgdvopab · ‎09-05-2016

Thanks a lot, one question:

We used streamstats to biuld a "package" of three events with the sum of the SLA values.

One Example:

700
700
702
702
702
700

Does the window make a package with number 1-3 oder 3-5?
This is important for the calculation.

Thanks a lot!

How to count events with specified id, if there are three events successively

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!