You're probably going to need streamstats - here's an example that demonstrates 5 printers with randomised printing, error and spooling statuses and it then uses streamstats to find each occurrence o...
See more...
You're probably going to need streamstats - here's an example that demonstrates 5 printers with randomised printing, error and spooling statuses and it then uses streamstats to find each occurrence of printer_error and then counts the occurrences of spooling after the error - it handles multiple occurences of error followed by spooling | makeresults count=1000
| streamstats c
| eval _time=now() - (c * 60)
| sort _time
| eval printer="Printer ".(random() % 5), r=random() % 100, status=case(r<3, "printing,error", r<90, "printing", r<100, "spooling")
| fields - r c
| search status IN ("printing,error","spooling")
``` Up to the above is just creating dummy data then removing all the
printing events so just error and spooling are left ```
``` Create an occurrence group for each failure ```
| streamstats count(eval(status="printing,error")) as occurrence by printer
``` Ignore the first as it's not relevant here ```
| where occurrence>0
``` Now count spooling events by failure occurrence and save start/end times ```
| stats min(_time) as printer_error max(_time) as last_spooling count(eval(status="spooling")) as spooling by occurrence printer
| fieldformat last_spooling=strftime(last_spooling, "%F %T")
| fieldformat printer_error=strftime(printer_error, "%F %T")
| sort printer printer_error Hopefully this will give you something to start with