Splunk Search

Splunk7: Status = Count Up when PV's Value transits from 0 to 1

htkwan
Path Finder

Hello,
I'm new to Splunk. Need advice. Want to do a count-up (Step) when a Tag's value (PV) transits from 0 to 1. Step is a new field.
_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0

Pls. advise. Thanks

Tags (2)
0 Karma

tiagofbmm
Influencer

This way you still keep the PV

yoursearch
    | delta PV as Transition
    | sort -_time
    | streamstats sum(PV) as RunCount reset_before=PV=0
    | eventstats sum(eval(if(Transition==1,1,0))) as Total_0_to_1_Transitions
    | fields _time, RunCount, PV, Total_0_to_1_Transitions
0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

htkwan
Path Finder

Hello tiagofbmm,
Just try. I need the "Step" to count when the PV transits from 0 to 1. See, below, a sample result (table). I'll need the Step for further work. I appreciate your advice.

_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0

0 Karma

htkwan
Path Finder

Hello tiagofbmm,
I'm interested in the countup when the PV transits from 0 to 1, not the total number of transitions. Pls advise. Thanks

0 Karma

tiagofbmm
Influencer

Did you try this search? It counts when the PV transits from 0 to 1 and also gives you the run count. Try it and let me know

  yoursearch
     | delta PV as Transition
     | sort -_time
     | streamstats sum(PV) as RunCount reset_before=PV=0
     | where Transition=1
     | eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
     | stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
0 Karma

tiagofbmm
Influencer

And if you want run count for each transition too, try this

 yoursearch
    | delta PV as Transition
    | sort -_time
    | streamstats sum(PV) as RunCount reset_before=PV=0
    | where Transition=1
    | eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
    | stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
0 Karma

htkwan
Path Finder

Hello Giuseppe,
I'm sorry. I've not explained well. I want to know when the PV transits from 0 to 1 (i.e. start of a process run), and a count-up of the events in the run. There can be a number of runs. Pls. refer to my table. There are 2 runs. 1st run has 4 events; while 2nd run has 7 events. Later, i want to compare the runs' countup, say Run 1 & 2 at Step 3.

Pls. advise. Thanks.

0 Karma

tiagofbmm
Influencer

Hello

Please try this code to count 0 to 1 transitions:

yoursearch
    | delta PV as Transition
    | stats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
0 Karma

gcusello
Legend

Hi htkwan,
if you want to know when PV transit from 0 to 1 you could run a search like this:

your_index PV=1
| table _time PV Step

if you want to know how many times PV passed from 0 to 1 you could run:

your_index PV=1
| stats count

Bye.
Giuseppe

0 Karma

tiagofbmm
Influencer

0 to 1 and 1 to 0 is not the same thing 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...