Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count only the first event spike in my data for a window of time?

fblau
Explorer
‎02-17-2015 09:07 PM

I am bringing in signal data and counting spikes using the following search:

ekg| head 6000 | table ekg, _time | sort _time | trendline wma200(ekg)  as ma |  eval spike=if(ekg > 1.75 * ma, 5 , 0)

It works pretty well, but when the data spikes, I get about 4 spikes counted for each rise:

2.702835    2015-02-17T06:37:00.850+0000    1.836020976 0
1.505376    2015-02-17T06:37:00.850+0000    1.832955897 0
3.054741    2015-02-17T06:37:00.851+0000    1.845338754 0
3.387097    2015-02-17T06:37:00.853+0000    1.860977085 5
3.68524  2015-02-17T06:37:00.855+0000   1.8795149     5
3.743891    2015-02-17T06:37:00.856+0000    1.898542445 5
3.782991    2015-02-17T06:37:00.858+0000    1.91784865   5
3.646139    2015-02-17T06:37:00.860+0000    1.935670102 5
3.333333    2015-02-17T06:37:00.861+0000    1.950263797 0
2.917889    2015-02-17T06:37:00.863+0000    1.96063375   0

What I want is way to only count the first spike and then reset it after a time period (in milliseconds) so that I can accurately count the spikes as only one per rise.

Any ideas?

Tags (1)
0 Karma
Reply

Isaias_Garcia
Path Finder
‎02-17-2015 09:47 PM

Hi please try | head 1 instead
ekg| head 1| table ekg, _time | sort _time | trendline wma200(ekg) as ma | eval spike=if(ekg > 1.75 * ma, 5 , 0)

0 Karma
Reply

fblau
Explorer
‎02-17-2015 09:48 PM

That only gets the first record in the series. I want to repeat that spike after a delay or something.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...