Solved: Re: How to count number of events that occurred ne...

xfiles80 · ‎10-19-2016

Hi,

I am a begginner and can't find solution for my problem.
I have 3 fields:
2 from one source
Characteristic ( has Characteristic names)
Value (has value of measured Characteristic)
and one from another source
Temprature (Temeprature during measurement)

Time of Temperature recording and result recording are different so it should consider span=1hr
I would like to receive information how many measurements above specific value were recorded and in what temperature it happened ie.

Temp No of meas.
10-20 12
21-30 35
31-40 15

Below serach string I tried to use:

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" |bin Temperature bins=10 |chart count(Value) by Temperature

and received only 0 for counts. I suspect that I should use "transaction". I tried but I failed.

somesoni2 · ‎10-21-2016

Give this a try

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" | sort 0 _time | filldown Temperature | where isnotnull(Value)
 |bin Temperature bins=10 |chart count(Value) by Temperature

View solution in original post

somesoni2 · ‎10-21-2016

Give this a try

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" | sort 0 _time | filldown Temperature | where isnotnull(Value)
 |bin Temperature bins=10 |chart count(Value) by Temperature

xfiles80 · ‎10-27-2016

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" | sort 0 _time | filldown Temperature | where isnotnull(Value)
  |bin Temperature bins=10 |chart count(Value) by Temperature

works perfect
Thanks a lot!

richgalloway · ‎10-27-2016

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.

xfiles80 · ‎10-21-2016

I will add some data examples:
source1:
Date/Time Value
2016-01-01 01:05 1.49
2016-01-01 03:17 1.57
2016-01-01 05:15 1.58
2016-01-01 11:11 1.59
2016-01-01 17:00 1.49
2016-01-01 23:18 1.56

source2:
Date/Time Temperature
2016-01-01 01:00 23.1
2016-01-01 01:10 23.9
2016-01-01 03:00 24.1
2016-01-01 03:15 24.2
2016-01-01 05:11 25.0
2016-01-01 05:20 23.0
2016-01-01 11:10 30.0
2016-01-01 16:50 27.7
2016-01-01 23:20 25.5

Output I want to have (number or values that were recorded in specific temprature):
Temp. Count(Value)
24-25 1
25-26 2
26-27 0
27-28 0
28-29 0
29-30 1
30-31 0

sundareshr · ‎10-19-2016

Try this

(Characteristic="char1" AND Value>"1.55") OR Temprature="*" | convert num(Temperature) as Temperature | bin Temperature bins=10 | stats count by Temperature

xfiles80 · ‎10-19-2016

Unfortunately it doesn't work correctly. Please remeber that I want to count values for each temperture bin and data are from different sources so have different timelines.

sundareshr · ‎10-21-2016

Ah!!! Missed that. What is common between the two sources that uniquely ties Temperation to Char & Values? Let's assume is called id. Then try this

(Characteristic="char1" AND Value>"1.55") OR Temprature="*"  | eventstats values(Temperature) as Temp  by id | where source="sourceforcharacteristcsfile" | bin Temperature bins=10 | stats count by Temperature

How to count number of events that occurred near different events

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms