I would like to count values between an event and i'm not getting an entry point for this at all.
Assume i get an event like:
SOURCE=ABC EVENT=1
and from there i would like to count all results given in RESULT:
SOURCE=ABC RESULT=1
until the event goes off
SOURCE=ABC EVENT=0
Idealy this would work with multiple sources like
 SOURCE=ABC EVENT=1
 SOURCE=DEF EVENT=1
 SOURCE=ABC RESULT=1
 SOURCE=ABC EVENT=0
 SOURCE=DEF RESULT=2
 SOURCE=DEF EVENT=0
And then return something like
 RESULT_TOTAL=3
Any ideas how to achieve this?
 
					
				
		
May be something like this
your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE 
If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search
....| where mvcount(EVENT)=2
 
					
				
		
May be something like this
your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE 
If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search
....| where mvcount(EVENT)=2
Thanks for this. The sample looks stateless and counts any RESULT as long as EVENT is appearing. Is it possible to set a trigger? Say the count applies only after
SOURCE=ABC EVENT=0
until
SOURCE=ABC EVENT=1
and ignore (don't) count anything else?
 
					
				
		
How about this
your base search | stats list(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE | where mvindex(EVENT,0)=0 AND mvindex(EVENT,1)=1
Great, Thanks!
