Solved: Re: count between events

mkrauss1 · ‎08-31-2015

I would like to count values between an event and i'm not getting an entry point for this at all.

Assume i get an event like:

SOURCE=ABC EVENT=1

and from there i would like to count all results given in RESULT:

SOURCE=ABC RESULT=1

until the event goes off

SOURCE=ABC EVENT=0

Idealy this would work with multiple sources like

 SOURCE=ABC EVENT=1
 SOURCE=DEF EVENT=1
 SOURCE=ABC RESULT=1
 SOURCE=ABC EVENT=0
 SOURCE=DEF RESULT=2
 SOURCE=DEF EVENT=0

And then return something like

 RESULT_TOTAL=3

Any ideas how to achieve this?

somesoni2 · ‎08-31-2015

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2

View solution in original post

somesoni2 · ‎08-31-2015

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2

mkrauss1 · ‎08-31-2015

Thanks for this. The sample looks stateless and counts any RESULT as long as EVENT is appearing. Is it possible to set a trigger? Say the count applies only after

SOURCE=ABC EVENT=0

until

SOURCE=ABC EVENT=1

and ignore (don't) count anything else?

somesoni2 · ‎08-31-2015

How about this

your base search | stats list(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE | where mvindex(EVENT,0)=0 AND mvindex(EVENT,1)=1

mkrauss1 · ‎08-31-2015

Great, Thanks!

count between events

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio