Splunk Search

## How to increment the field based on the previous value based on the condition?

Explorer

Dear Splunkers,

I want to increment the fields value based on Some conditions as like below.

``````Limit       |    Change
10           |        0
10           |        0
10           |        0
20           |        1
20           |        1
05           |        2
05           |        2
15           |        3
15           |        3
``````

Like above, I need to increment the value from previous value whenever there is a change in the Limit Column.

Thank You.

Tags (3)
1 Solution
Influencer

Try this

`...| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change `
Engager

| makeresults | eval var="a,a,a,b,a,c,c,b" | makemv delim="," var | mvexpand var |sort var | streamstats count by var |table var count
|eval i=0 |eval count1=if(count==1,i,i+1)
|streamstats count(eval(count1==0)) as req_col
|table var req_col

Tags (1)
Influencer

Try this

`...| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change `
Explorer

Hello, thank you for the solution, I am also struggling with the same problem for quite sometime.
given logic is not working when have a table with values changing between 0 and 1. I want to change the field value every time a even is fired

Limit Change ExpectedChange
1 0
1 0 0
2 1 1
2 0 1
1 1 2
2 1 3
1 1 4
2 1 5
1 1 6
2 1 7
1 1 8
2 1 9
2 0 9
2 0 9
2 0 9
2 0 9

| sort localisation _time
| streamstats range(_time) as Duration window=2
| eval Duration1 = Duration/60
| eval limit = if(Duration1 < 1,1,2)
| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change

Explorer

You may have solved this by now but i just had the same problem so I'll post this here for anyone else who needs it.

``````...| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change | streamstats count(eval(change==1)) as conecutive_change
``````
Get Updates on the Splunk Community!

#### 3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

#### What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

#### Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...