Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identify events based on the incremental change of a value

punichannibal
Explorer
‎10-19-2023 12:40 AM

Hi,

I have have a list of events that contain a customer ID. I'm trying to detect when I have a sequence of events with incremental changes to the ID

Example:

- event A - ID0

- event B - ID1

- event C- ID2

- event D - ID3

 

I might have other events between these increments that could have unrelated IDs (i.e: event A ID0 - event H ID 22, event B ID1)

I've tried using | streamstats current=f last(CustomerID) as prev_CustomerID
| eval increment = CustomerID - prev_CustomerID but without any luck.

 

Do you guys know a way this could be achieved ?

 

 

 

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 02:13 AM

Assuming ID is a numeric, your solution should work. You could also try range with window of 2. Here is a runanywhere example demonstrating both techniques

| makeresults format=csv data="event,id
A,1
B,2
C,4
D,5"
| streamstats range(id) as range window=2
| streamstats current=f last(id) as prev_id
| eval increment=id-prev_id
Reply

punichannibal
Explorer
‎10-19-2023 02:48 AM

Hello, 

Thank you for the answer. Indeed trying a range with a windows of 2 spawns results. However, I'm not picking up on the first start of the sequence (ID 0 and ID 1)  but only the last 4 IDs ( 2/3/4/5)

Any ideas ?

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 02:51 AM

What were you expecting for the first id if there is no previous row?

0 Karma
Reply

punichannibal
Explorer
‎10-19-2023 02:53 AM

I see your logic, my bad. I'm trying to identify the start of the sequence as well even thought there is no increment based on the previous row.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 02:55 AM

Try something like this

| eval range=coalesce(range, id)
0 Karma
Reply

punichannibal
Explorer
‎10-19-2023 05:47 AM

I'm not sure where this goes, can you please explain what it changes?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 08:18 AM

Perhaps if you provided some more realistic (but anonymised) sample events, and a representation of the output you are trying to achieve, we may be able to help you to a solution.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 06:39 AM 
| makeresults format=csv data="event,id
A,1
B,2
C,4
D,5"
| streamstats range(id) as range window=2
| eval range=coalesce(range, id)
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...