Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

count between events

mkrauss1
Explorer
‎08-31-2015 08:07 AM

I would like to count values between an event and i'm not getting an entry point for this at all.

Assume i get an event like:

SOURCE=ABC EVENT=1

and from there i would like to count all results given in RESULT:

SOURCE=ABC RESULT=1

until the event goes off

SOURCE=ABC EVENT=0

Idealy this would work with multiple sources like

 SOURCE=ABC EVENT=1
 SOURCE=DEF EVENT=1
 SOURCE=ABC RESULT=1
 SOURCE=ABC EVENT=0
 SOURCE=DEF RESULT=2
 SOURCE=DEF EVENT=0

And then return something like 

 RESULT_TOTAL=3

Any ideas how to achieve this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:13 AM

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:13 AM

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2
0 Karma
Reply
Solved! Jump to solution

mkrauss1
Explorer
‎08-31-2015 08:54 AM

Thanks for this. The sample looks stateless and counts any RESULT as long as EVENT is appearing. Is it possible to set a trigger? Say the count applies only after

SOURCE=ABC EVENT=0

until

SOURCE=ABC EVENT=1

and ignore (don't) count anything else?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-31-2015 09:00 AM

How about this

your base search | stats list(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE | where mvindex(EVENT,0)=0 AND mvindex(EVENT,1)=1

0 Karma
Reply
Solved! Jump to solution

mkrauss1
Explorer
‎08-31-2015 09:28 AM

Great, Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...