Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

count between events

mkrauss1
Explorer
‎08-31-2015 08:07 AM

I would like to count values between an event and i'm not getting an entry point for this at all.

Assume i get an event like:

SOURCE=ABC EVENT=1

and from there i would like to count all results given in RESULT:

SOURCE=ABC RESULT=1

until the event goes off

SOURCE=ABC EVENT=0

Idealy this would work with multiple sources like

 SOURCE=ABC EVENT=1
 SOURCE=DEF EVENT=1
 SOURCE=ABC RESULT=1
 SOURCE=ABC EVENT=0
 SOURCE=DEF RESULT=2
 SOURCE=DEF EVENT=0

And then return something like 

 RESULT_TOTAL=3

Any ideas how to achieve this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:13 AM

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:13 AM

May be something like this

your base search   | stats values(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE

If you don't want to count the RESULT if there is no EVENT=0 after that, then just add this in the end of the above search

....| where mvcount(EVENT)=2
0 Karma
Reply
Solved! Jump to solution

mkrauss1
Explorer
‎08-31-2015 08:54 AM

Thanks for this. The sample looks stateless and counts any RESULT as long as EVENT is appearing. Is it possible to set a trigger? Say the count applies only after

SOURCE=ABC EVENT=0

until

SOURCE=ABC EVENT=1

and ignore (don't) count anything else?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-31-2015 09:00 AM

How about this

your base search | stats list(EVENT) as EVENT sum(RESULT) as RESULT by SOURCE | where mvindex(EVENT,0)=0 AND mvindex(EVENT,1)=1

0 Karma
Reply
Solved! Jump to solution

mkrauss1
Explorer
‎08-31-2015 09:28 AM

Great, Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...