I am looking to record a measurement which is taken after the transition from Home state to Diagnostic State, I am calling the state change the keystone event
the raw keystone event looks like so:
{"bootcount":26,"device_id":"X","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC",
"location":{"city":"X","country":"X","latitude":X,"longitude":X,"state":"X"},"log_level":"info",
"message":"client: GCL internal state { new_state: Diagnostic, old_state: Home, conditions: 65600, error_code: 0}",
"model_number":"X1","sequence":274,"serial":"123X","software_version":"2.3.1.7682","ticks":26391,"timestamp":1723254756}
my search to find the keystone event looks like:
index="june_analytics_logs_prod" message=* new_state: Diagnostic, old_state: Home* NOT message=*counts*|
After the keystone event, I would like to take the measurements found in the immediate next 5 events, i will call these the data events.
the raw data events look like:
{"bootcount":26,"device_id":"x","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC",
"location":{"city":"X","country":"X","latitude":X,"longitude":X,"state":"X"},"log_level":"info",
"message":"client: fan: 2697, auger: 1275, glow_v: 782, glow: false, fuel: 0, cavity_temp: 209",
"model_number":"X1","sequence":280,"serial":"123X","software_version":"2.3.1.7682","ticks":26902,"timestamp":1723254761}
I would like to take the first 5 data events directly after the keystone event, extract the glow_v value and take the median of these 5 values as the accepted value.
In short, want to build a query to find the time of a keystone event, use this time to find the immediately proceeding data events that match certain criteria, extract the glow_v value from these data events and then take the median of these glow_v values
OK. There are some thing highly suboptimal with your search (especially the use of wildcards). But I'm not digging into it at the moment.
Also be aware that "next" might not mean the same for everyone so you should be precise when specifying your problem. By default Splunk returns data in reverse chronological order so Splunk's "next" event will actually be a previous event time-wise.
Anyway, the way to match something and some subsequent events (again - in Splunk's order - you might want to reverse or sort your events before doing so) is to use streamstats command with count function and change_on parameter and then simply filter on events only having that count value below given threshold.