Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

count between events

mkrauss1
Explorer
‎08-31-2015 08:07 AM

I would like to count values between an event and i'm not getting an entry point for this at all.

Assume i get an event like:

SOURCE=ABC EVENT=1

and from there i would like to count all results given in RESULT:

SOURCE=ABC RESULT=1

until the event goes off

SOURCE=ABC EVENT=0

Idealy this would work with multiple sources like

 SOURCE=ABC EVENT=1
 SOURCE=DEF EVENT=1
 SOURCE=ABC RESULT=1
 SOURCE=ABC EVENT=0
 SOURCE=DEF RESULT=2
 SOURCE=DEF EVENT=0

And then return something like 

 RESULT_TOTAL=3

Any ideas how to achieve this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:13 AM

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:13 AM

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2
0 Karma
Reply
Solved! Jump to solution

mkrauss1
Explorer
‎08-31-2015 08:54 AM

Thanks for this. The sample looks stateless and counts any RESULT as long as EVENT is appearing. Is it possible to set a trigger? Say the count applies only after

SOURCE=ABC EVENT=0

until

SOURCE=ABC EVENT=1

and ignore (don't) count anything else?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-31-2015 09:00 AM

How about this

your base search | stats list(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE | where mvindex(EVENT,0)=0 AND mvindex(EVENT,1)=1

0 Karma
Reply
Solved! Jump to solution

mkrauss1
Explorer
‎08-31-2015 09:28 AM

Great, Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...