Solved: What is the best way to count the number of times ...

606866581 · ‎02-17-2017

Hi Everyone,

I've been using Splunk for a few years but I'm looking for a nice way to capture the number of times a user has changed a particular setting. For simplicity sake the setting can be 1 or 0.

2017-02-17 01:00:00 IP=1.1.1.1 Setting=0
2017-02-17 02:00:00 IP=1.1.1.1 Setting=0
2017-02-17 03:00:00 IP=1.1.1.1 Setting=1
2017-02-17 03:00:00 IP=2.2.2.2 Setting=0
2017-02-17 04:00:00 IP=2.2.2.2 Setting=1
2017-02-17 05:00:00 IP=1.1.1.1 Setting=0
2017-02-17 05:00:00 IP=1.1.1.1 Setting=0

I'm looking to produce a table to summarize this which will look like:

IP, Times toggled
1.1.1.1, 2
1.1.1.1, 1

The dataset is too large to use transaction so I'm hoping there's a nifty command that I can use which caters for this.
Thanks!

somesoni2 · ‎02-17-2017

Give this a try

your current search which include fields _time IP and Setting
| sort 0 IP _time
| streamstats current=f window=1 values(Setting) as prevSetting by IP 
| where Setting!=prevSetting
| stats count as "Times Toggled" by IP

View solution in original post

somesoni2 · ‎02-17-2017

Give this a try

your current search which include fields _time IP and Setting
| sort 0 IP _time
| streamstats current=f window=1 values(Setting) as prevSetting by IP 
| where Setting!=prevSetting
| stats count as "Times Toggled" by IP

niketn · ‎02-17-2017

You can try streamstats

<Your Base Search>
| streamstats count by IP reset_on_change=true

Please refer to the documentation on the same: http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Streamstats

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

What is the best way to count the number of times a field has been changed or toggled?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!