Say suppose, I get those logs every minute. Is there a way where I can create a field where if I get successive '0' in status(More than once), the field would display the status as error?

| bucket _time span=1m | stats count(eval(like(<field>, "<status%>"))) AS count BY _time | eval <new_field>=if(count > 1, "error", "")

Use the bucket function to view events per minute. Then use stats to count a desired field by a value using the percent sign as a wildcard. The second eval statement creates a new field and looks for counts greater than one. If there are any counts greater than one, "error" will be displayed for that event within the new field. Otherwise, nothing will be displayed for the new field.

This definitely works. It's good to know that % acts like a wildcard for eval statements in Splunk.

THis worked. thanks. can you suggest me a way to keep Status=1 until "disconnected" is encountered in a log.

Thanks

Thanks for this! I've been trying to figure this out for about an hour and tried a bunch of other stuff.

Be sure to UpVote!

Define what you mean by "keep"? This evaluation creates a new field on a per-event basis. It is not keeping a state. Remember that a log searching tool is not necessarily the best way for finding out a state, because for whatever timerange you search, you might always miss that important piece of state information that was logged 5 minutes before your search time span...