Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use variables in splunk to count something?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hallo again,
is it possible to use variables in splunk to count something? For example if a string match something the variable "X" increase by one.
Perhaps there is another way to solve my problem:
My actually search looks like this:
| _time | diff | Code |
|---|---|---|
| 1.1.09 | A | |
| 1.1.09 | 0.1 | B |
| 1.1.09 | 22.0 | B |
| 1.1.09 | 23.0 | E |
| 1.1.09 | 0.1 | D |
I'd like to have something like this:
| _time | diff | Code | ID |
|---|---|---|---|
| 1.1.09 | A | 1 | |
| 1.1.09 | 0.1 | B | 1 |
| 1.1.09 | 22.0 | B | 2 |
| 1.1.09 | 23.0 | E | 3 |
| 1.1.09 | 0.1 | D | 3 |
This means every time "diff" is bigger than "0.3" the ID have to increase by one.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah,
thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:
my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID
So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah,
thank you so much. Your answer was very helpful. But I did not need the streamstats command. To solve my problem I take this one:
my base search giving _time,diff,Code | eval ID=case(isnull(diff),1,diff>0.3,1,1=1,0) | accum ID
So every time "diff" is greater than 0.3 "ID" will increase by one. Your given code calculate the difference between the "diff" fields which I do not need in this example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search giving _time,diff,Code | streamstats current=f window=1 first(diff) as prevDiff | eval ID=case(isnull(prevDiff),1,diff-prevDiff>0.3,1,1=1,0) | accum ID
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
