Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count how many times a field value has changed from one to another?

anphan1992
Engager
‎12-29-2015 11:25 AM

Hi,
In my data I have a "Status" field. The status can be in one of 3 states: Connected, Connecting, Disconnected. I want to calculate how many times the connection has been dropped. In other words, I want to count the number of times the status goes from "Connected" to "Disconnected".

Any ideas?

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎12-29-2015 11:53 AM

Using streamstats you can achieve see what the previous value of status was:

... | streamstats current=f window=1 last(status) as prev_status

This will give you on every event (except the first one) the status of your previous event. You can then use a search to look for the case where current status is "disconnected" and previous status is "connected":

... | streamstats current=f window=1 last(status) as prev_status | search status="disconnected" AND prev_status="connected"

If you simply need the count then add a stats count:

... | streamstats current=f window=1 last(status) as prev_status | search status="disconnected" AND prev_status="connected" | stats count

Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎12-29-2015 11:53 AM

Using streamstats you can achieve see what the previous value of status was:

... | streamstats current=f window=1 last(status) as prev_status

This will give you on every event (except the first one) the status of your previous event. You can then use a search to look for the case where current status is "disconnected" and previous status is "connected":

... | streamstats current=f window=1 last(status) as prev_status | search status="disconnected" AND prev_status="connected"

If you simply need the count then add a stats count:

... | streamstats current=f window=1 last(status) as prev_status | search status="disconnected" AND prev_status="connected" | stats count

Hope this helps

Reply
Get Updates on the Splunk Community!

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...