Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: count between events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to count values between an event and i'm not getting an entry point for this at all.
Assume i get an event like:
SOURCE=ABC EVENT=1
and from there i would like to count all results given in RESULT:
SOURCE=ABC RESULT=1
until the event goes off
SOURCE=ABC EVENT=0
Idealy this would work with multiple sources like
SOURCE=ABC EVENT=1
SOURCE=DEF EVENT=1
SOURCE=ABC RESULT=1
SOURCE=ABC EVENT=0
SOURCE=DEF RESULT=2
SOURCE=DEF EVENT=0
And then return something like
RESULT_TOTAL=3
Any ideas how to achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May be something like this
your base search | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE
If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search
....| where mvcount(EVENT)=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May be something like this
your base search | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE
If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search
....| where mvcount(EVENT)=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this. The sample looks stateless and counts any RESULT as long as EVENT is appearing. Is it possible to set a trigger? Say the count applies only after
SOURCE=ABC EVENT=0
until
SOURCE=ABC EVENT=1
and ignore (don't) count anything else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
your base search | stats list(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE | where mvindex(EVENT,0)=0 AND mvindex(EVENT,1)=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
