Solved: How to use variables in splunk to count something?

TBo123 · ‎08-15-2014

Hallo again,

is it possible to use variables in splunk to count something? For example if a string match something the variable "X" increase by one.

Perhaps there is another way to solve my problem:

My actually search looks like this:

_time	diff	Code
1.1.09		A
1.1.09	0.1	B
1.1.09	22.0	B
1.1.09	23.0	E
1.1.09	0.1	D

I'd like to have something like this:

_time	diff	Code	ID
1.1.09		A	1
1.1.09	0.1	B	1
1.1.09	22.0	B	2
1.1.09	23.0	E	3
1.1.09	0.1	D	3

This means every time "diff" is bigger than "0.3" the ID have to increase by one.

Thanks.

TBo123 · ‎08-18-2014

Yeah,

thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:

my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID

So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.

View solution in original post

TBo123 · ‎08-18-2014

Yeah,

thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:

my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID

So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.

somesoni2 · ‎08-15-2014

Try this

your base search giving _time,diff,Code | streamstats current=f window=1 first(diff) as prevDiff | eval ID=case(isnull(prevDiff),1,diff-prevDiff>0.3,1,1=1,0) | accum ID

How to use variables in splunk to count something?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!