How to count only the first event spike in my data...

fblau · ‎02-17-2015

I am bringing in signal data and counting spikes using the following search:

ekg| head 6000 | table ekg, _time | sort _time | trendline wma200(ekg)  as ma |  eval spike=if(ekg > 1.75 * ma, 5 , 0)

It works pretty well, but when the data spikes, I get about 4 spikes counted for each rise:

2.702835    2015-02-17T06:37:00.850+0000    1.836020976 0
1.505376    2015-02-17T06:37:00.850+0000    1.832955897 0
3.054741    2015-02-17T06:37:00.851+0000    1.845338754 0
3.387097    2015-02-17T06:37:00.853+0000    1.860977085 5
3.68524  2015-02-17T06:37:00.855+0000   1.8795149     5
3.743891    2015-02-17T06:37:00.856+0000    1.898542445 5
3.782991    2015-02-17T06:37:00.858+0000    1.91784865   5
3.646139    2015-02-17T06:37:00.860+0000    1.935670102 5
3.333333    2015-02-17T06:37:00.861+0000    1.950263797 0
2.917889    2015-02-17T06:37:00.863+0000    1.96063375   0

What I want is way to only count the first spike and then reset it after a time period (in milliseconds) so that I can accurately count the spikes as only one per rise.

Any ideas?

Isaias_Garcia · ‎02-17-2015

fblau · ‎02-17-2015

That only gets the first record in the series. I want to repeat that spike after a delay or something.

How to count only the first event spike in my data for a window of time?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to count only the first event spike in my data for a window of time?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25