Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk query request to identify a continous sequence of number

venky1544
Builder
‎10-04-2021 06:28 AM

i have a below data generated by a timechart  i'm trying to write a query where if there are continous sequence of number 1 in a span of 15 mins  it should alert me 

index=abc  "Heartbeat*"  |timechart span=2m count 

2021-10-04 10:20:001
2021-10-04 10:22:001
2021-10-04 10:24:001
2021-10-04 10:26:001
2021-10-04 10:28:001

 

when the

 

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎10-04-2021 07:43 AM

Give this a try

index=abc  "Heartbeat*"  |timechart span=2m count 
| streamstats current=f window=1 values(count) as prev_count
| stats sum(eval(abs(count-prev_count))) as diff
| where diff=0

Basically comparing every row's count value with previous row's count value and checking if difference is 0 (means they're all same).

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-04-2021 10:01 PM

There is a command especially for using previous values - autoregress

So checking if the value is the same as previous one is easier:

<your-search> | autoregress field
| where field=field_p1

But I think I'd use a transaction here. With resetonchange=t

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...