Solved: How to use variables in splunk to count something?

TBo123 · ‎08-15-2014

Hallo again,

is it possible to use variables in splunk to count something? For example if a string match something the variable "X" increase by one.

Perhaps there is another way to solve my problem:

My actually search looks like this:

_time	diff	Code
1.1.09		A
1.1.09	0.1	B
1.1.09	22.0	B
1.1.09	23.0	E
1.1.09	0.1	D

I'd like to have something like this:

_time	diff	Code	ID
1.1.09		A	1
1.1.09	0.1	B	1
1.1.09	22.0	B	2
1.1.09	23.0	E	3
1.1.09	0.1	D	3

This means every time "diff" is bigger than "0.3" the ID have to increase by one.

Thanks.

TBo123 · ‎08-18-2014

Yeah,

thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:

my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID

So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.

View solution in original post

TBo123 · ‎08-18-2014

Yeah,

thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:

my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID

So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.

somesoni2 · ‎08-15-2014

Try this

your base search giving _time,diff,Code | streamstats current=f window=1 first(diff) as prevDiff | eval ID=case(isnull(prevDiff),1,diff-prevDiff>0.3,1,1=1,0) | accum ID

How to use variables in splunk to count something?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)