Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identify events based on the incremental change of a value

punichannibal
Explorer
‎10-19-2023 12:40 AM

Hi,

I have have a list of events that contain a customer ID. I'm trying to detect when I have a sequence of events with incremental changes to the ID

Example:

- event A - ID0

- event B - ID1

- event C- ID2

- event D - ID3

 

I might have other events between these increments that could have unrelated IDs (i.e: event A ID0 - event H ID 22, event B ID1)

I've tried using | streamstats current=f last(CustomerID) as prev_CustomerID
| eval increment = CustomerID - prev_CustomerID but without any luck.

 

Do you guys know a way this could be achieved ?

 

 

 

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 02:13 AM

Assuming ID is a numeric, your solution should work. You could also try range with window of 2. Here is a runanywhere example demonstrating both techniques

| makeresults format=csv data="event,id
A,1
B,2
C,4
D,5"
| streamstats range(id) as range window=2
| streamstats current=f last(id) as prev_id
| eval increment=id-prev_id
Reply

punichannibal
Explorer
‎10-19-2023 02:48 AM

Hello, 

Thank you for the answer. Indeed trying a range with a windows of 2 spawns results. However, I'm not picking up on the first start of the sequence (ID 0 and ID 1)  but only the last 4 IDs ( 2/3/4/5)

Any ideas ?

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 02:51 AM

What were you expecting for the first id if there is no previous row?

0 Karma
Reply

punichannibal
Explorer
‎10-19-2023 02:53 AM

I see your logic, my bad. I'm trying to identify the start of the sequence as well even thought there is no increment based on the previous row.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 02:55 AM

Try something like this

| eval range=coalesce(range, id)
0 Karma
Reply

punichannibal
Explorer
‎10-19-2023 05:47 AM

I'm not sure where this goes, can you please explain what it changes?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 08:18 AM

Perhaps if you provided some more realistic (but anonymised) sample events, and a representation of the output you are trying to achieve, we may be able to help you to a solution.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 06:39 AM 
| makeresults format=csv data="event,id
A,1
B,2
C,4
D,5"
| streamstats range(id) as range window=2
| eval range=coalesce(range, id)
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...