Splunk Search

How to use variables in splunk to count something?

TBo123
Path Finder

Hallo again,

is it possible to use variables in splunk to count something? For example if a string match something the variable "X" increase by one.

Perhaps there is another way to solve my problem:

My actually search looks like this:

_time diff Code
1.1.09 A
1.1.09 0.1 B
1.1.09 22.0 B
1.1.09 23.0 E
1.1.09 0.1 D

I'd like to have something like this:








































_time diff Code ID
1.1.09 A 1
1.1.09 0.1 B 1
1.1.09 22.0 B 2
1.1.09 23.0 E 3
1.1.09 0.1 D 3

This means every time "diff" is bigger than "0.3" the ID have to increase by one.

Thanks.

Tags (2)
0 Karma
1 Solution

TBo123
Path Finder

Yeah,

thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:

my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID

So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.

View solution in original post

0 Karma

TBo123
Path Finder

Yeah,

thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:

my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID

So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.

0 Karma

somesoni2
Revered Legend

Try this

your base search giving _time,diff,Code | streamstats current=f window=1 first(diff) as prevDiff | eval ID=case(isnull(prevDiff),1,diff-prevDiff>0.3,1,1=1,0) | accum ID
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...