- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk7: Status = Count Up when PV's Value tra...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk7: Status = Count Up when PV's Value transits from 0 to 1
Hello,
I'm new to Splunk. Need advice. Want to do a count-up (Step) when a Tag's value (PV) transits from 0 to 1. Step is a new field.
_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0
Pls. advise. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This way you still keep the PV
yoursearch
| delta PV as Transition
| sort -_time
| streamstats sum(PV) as RunCount reset_before=PV=0
| eventstats sum(eval(if(Transition==1,1,0))) as Total_0_to_1_Transitions
| fields _time, RunCount, PV, Total_0_to_1_Transitions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello tiagofbmm,
Just try. I need the "Step" to count when the PV transits from 0 to 1. See, below, a sample result (table). I'll need the Step for further work. I appreciate your advice.
_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello tiagofbmm,
I'm interested in the countup when the PV transits from 0 to 1, not the total number of transitions. Pls advise. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try this search? It counts when the PV transits from 0 to 1 and also gives you the run count. Try it and let me know
yoursearch
| delta PV as Transition
| sort -_time
| streamstats sum(PV) as RunCount reset_before=PV=0
| where Transition=1
| eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
| stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And if you want run count for each transition too, try this
yoursearch
| delta PV as Transition
| sort -_time
| streamstats sum(PV) as RunCount reset_before=PV=0
| where Transition=1
| eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
| stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Giuseppe,
I'm sorry. I've not explained well. I want to know when the PV transits from 0 to 1 (i.e. start of a process run), and a count-up of the events in the run. There can be a number of runs. Pls. refer to my table. There are 2 runs. 1st run has 4 events; while 2nd run has 7 events. Later, i want to compare the runs' countup, say Run 1 & 2 at Step 3.
Pls. advise. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Please try this code to count 0 to 1 transitions:
yoursearch
| delta PV as Transition
| stats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi htkwan,
if you want to know when PV transit from 0 to 1 you could run a search like this:
your_index PV=1
| table _time PV Step
if you want to know how many times PV passed from 0 to 1 you could run:
your_index PV=1
| stats count
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
0 to 1 and 1 to 0 is not the same thing 🙂
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
