Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to increment the field based on the previous value based on the condition?

Rajkumarkbm2
Explorer
‎07-26-2018 11:19 AM

Dear Splunkers,

I want to increment the fields value based on Some conditions as like below.

Limit       |    Change
10           |        0
10           |        0
10           |        0
20           |        1
20           |        1
05           |        2
05           |        2
15           |        3
15           |        3

Like above, I need to increment the value from previous value whenever there is a change in the Limit Column.

Thank You.

Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎07-26-2018 12:48 PM

Try this

...| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change

View solution in original post

Reply
Solved! Jump to solution

gnanadeep55
Engager
‎08-09-2021 06:27 AM

| makeresults | eval var="a,a,a,b,a,c,c,b" | makemv delim="," var | mvexpand var |sort var | streamstats count by var |table var count
|eval i=0 |eval count1=if(count==1,i,i+1)
|streamstats count(eval(count1==0)) as req_col
|table var req_col

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎07-26-2018 12:48 PM

Try this

...| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change
Reply
Solved! Jump to solution

KChaudhary
Explorer
‎08-27-2018 06:14 AM

Hello, thank you for the solution, I am also struggling with the same problem for quite sometime.
given logic is not working when have a table with values changing between 0 and 1. I want to change the field value every time a even is fired

Limit Change ExpectedChange
1 0
1 0 0
2 1 1
2 0 1
1 1 2
2 1 3
1 1 4
2 1 5
1 1 6
2 1 7
1 1 8
2 1 9
2 0 9
2 0 9
2 0 9
2 0 9

I am using following code. Can you please help.

| sort localisation _time
| streamstats range(_time) as Duration window=2
| eval Duration1 = Duration/60
| eval limit = if(Duration1 < 1,1,2)
| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change

0 Karma
Reply
Solved! Jump to solution

BenThwaites
Explorer
‎01-23-2019 04:13 PM

You may have solved this by now but i just had the same problem so I'll post this here for anyone else who needs it.

...| autoregress limit as limit_old | eval change=0 | autoregress change as change_old | eval change = if(limit=limit_old, change_old,change_old+1) | table limit change | streamstats count(eval(change==1)) as conecutive_change
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...