I have a script that I wrote which goes out and samples data from a few thousand servers every 5 minutes and returns a number of fields. I'm trying to get a report to tell me how often a specific field transitions per server over the source of 2-3 days.
in his case the field is state and the values could be free, job-busy, job-exclusive, offline, down, and a few others.
Ideally I want to count the changes and not the totals, since its sampled ever 5 minutes, totals aren't altogether helpful but knowing there were 6 changes from any one state to any other is. Knowing the duration between each transition is also very valuable. Transaction seems like a very solid fit but I just can't seem to get it to function correctly. It seems to catch one set of host fields and the one immediately following it. I just can't seem to get correlate, contingency, or associate to work either since this is scheduled sampled data and not naturally occurring event data that has a more organic timescale and contingency is just giving me counts, of what would otherwise be the exact format I'm looking for.
try this:
sourcetype=mydata
| streamstats global=f current=t window=2
distinct_count(myfield) as myfield_values
by host
| where myfield_values > 1
| stats count by host
That will give you the number of transitions. If you also want the times, it's a little more complicated:
sourcetype=mydata
| streamstats global=f current=t window=2
distinct_count(myfield) as myfield_values
latest(_time) as transition_time
by host
| where myfield_values > 1
| streamstats global=f current=t window=2
range(transition_time) as time_since_previous_transition
by host
This will list out each transition along with the time. I guess I'm not really sure how to summarize up the total number while still listing out each transition time, but maybe you add a ... | stats count, avg(time_since_previous_transition) by host
and that's close to what you want?