Hello,
I'm new to Splunk. Need advice. Want to do a count-up (Step) when a Tag's value (PV) transits from 0 to 1. Step is a new field.
_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0
Pls. advise. Thanks
This way you still keep the PV
yoursearch
| delta PV as Transition
| sort -_time
| streamstats sum(PV) as RunCount reset_before=PV=0
| eventstats sum(eval(if(Transition==1,1,0))) as Total_0_to_1_Transitions
| fields _time, RunCount, PV, Total_0_to_1_Transitions
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
Hello tiagofbmm,
Just try. I need the "Step" to count when the PV transits from 0 to 1. See, below, a sample result (table). I'll need the Step for further work. I appreciate your advice.
_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0
Hello tiagofbmm,
I'm interested in the countup when the PV transits from 0 to 1, not the total number of transitions. Pls advise. Thanks
Did you try this search? It counts when the PV transits from 0 to 1 and also gives you the run count. Try it and let me know
yoursearch
| delta PV as Transition
| sort -_time
| streamstats sum(PV) as RunCount reset_before=PV=0
| where Transition=1
| eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
| stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
And if you want run count for each transition too, try this
yoursearch
| delta PV as Transition
| sort -_time
| streamstats sum(PV) as RunCount reset_before=PV=0
| where Transition=1
| eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
| stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
Hello Giuseppe,
I'm sorry. I've not explained well. I want to know when the PV transits from 0 to 1 (i.e. start of a process run), and a count-up of the events in the run. There can be a number of runs. Pls. refer to my table. There are 2 runs. 1st run has 4 events; while 2nd run has 7 events. Later, i want to compare the runs' countup, say Run 1 & 2 at Step 3.
Pls. advise. Thanks.
Hello
Please try this code to count 0 to 1 transitions:
yoursearch
| delta PV as Transition
| stats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
Hi htkwan,
if you want to know when PV transit from 0 to 1 you could run a search like this:
your_index PV=1
| table _time PV Step
if you want to know how many times PV passed from 0 to 1 you could run:
your_index PV=1
| stats count
Bye.
Giuseppe
0 to 1 and 1 to 0 is not the same thing 🙂