You're getting close. One streamstats is not enough because you can't "pull" events you already passed while processing the stream. Assuming you want to find when you have at least three consecutiv...
See more...
You're getting close. One streamstats is not enough because you can't "pull" events you already passed while processing the stream. Assuming you want to find when you have at least three consecutive ACC=1, you can do it like this | eval Description=case(RML<104.008, "0", RML>108.425, "1", RML>=104.008, "OK", RML<=108.425, "OK")
| eval Warning=case(Description==0, "LevelBreach", Description==1, "LevelBreach")
| table LWL UWL RML
| eval CR=if(RML<UWL,"0",if(RML>LWL,"1","0"))
| streamstats window=3 sum(ACC) as running_count This will mark the last of three consecutive ACC=1 with running_count=3. So we're on the right track so far we've found where our streak ends. Now we have to do a little trick since we can't pull events "from behind", we need to | reverse So that we're looking at our events in the other order. Now we know that event with running_count=3 will be starting our 3-event streak. So now we have to mark our 3 events looking forward | streamstats current=t window=3 max(running_count) as mark_count This will give us a value of markcount=3 for all events for which any of the last three events had running_count of 3 (which means that we're no further than 3 events from the _last_ event of our 3 event streak). Now all we have to do is find all those events we marked | where mark_count=3 And now we can just tidy up after ourseves | fields - running_count markcount | reverse And there you have it. Unfortunately since it uses the reverse command it can be quite memory consuming (and might even have some limits I'm not aware of at this time).