Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the existence of a preceding event in timechart?

pm771
Communicator
‎08-11-2020 04:20 PM

I have an index where each event has unique EventID and Status fields.

Each event is progressing through multiple interim statuses until it reaches one of the two terminal statuses: SUCCESS or FAILURE.  Each event goes through a subset of all possible interim statuses.

I'm trying to build a timechart that would show two counts:  All Failed Events and Failed Events  with a certain Interim Status.

One of the problems is that a preceding interim event could be outside of the span interval.

I was thinking something along these lines (not necessarily syntactically correct): 

 

index=... sourcetype=... Status IN ("FAILURE", "INTERIM") 
| timechart span=5m count by  EventId  
| untable _time eventCount
| stats count as "All" count(eval(EventCount==2)) as "With Interim" by _time

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎08-11-2020 04:40 PM 
index=... sourcetype=... Status IN ("FAILURE", "INTERIM") 
| stats min(eval(if(Status="INTERIM",_time,NULL))) as Interim min(eval(if(Status="FAILURE",_time,NULL))) as Failure by EventId
| eval Interim_EventID=if(isnotnull(Interim),EventID,NULL)
| eval time=mvappend(Interim,Failure)
| mvexpand time
| rename time as _time
| table _time EventId Interim_EventID
| sort _time


and
| timechart span=5m count(EventId) count(Interim_EventID)

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎08-11-2020 04:40 PM 
index=... sourcetype=... Status IN ("FAILURE", "INTERIM") 
| stats min(eval(if(Status="INTERIM",_time,NULL))) as Interim min(eval(if(Status="FAILURE",_time,NULL))) as Failure by EventId
| eval Interim_EventID=if(isnotnull(Interim),EventID,NULL)
| eval time=mvappend(Interim,Failure)
| mvexpand time
| rename time as _time
| table _time EventId Interim_EventID
| sort _time


and
| timechart span=5m count(EventId) count(Interim_EventID)

Reply
Solved! Jump to solution

pm771
Communicator
‎08-11-2020 07:49 PM

@to4kawa ,

Thank you. It works.

Since I'm dealing with relatively large data sets I stumbled into 10,000 limit on sort.  

So, I used sort 0 _time.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...