Hi all,
Is there a way to produce a count of consecutive like events in Splunk?
bookingEvent
bookingEvent
bookingEvent
bookingEvent
failureEvent
failureEvent
bookingEvent
bookingEvent
bookingEvent 4
failureEvent 2
bookingEvent 2
Hi,
Let's try something and tell me if it work.
If your field is TypeEvent
you search
| streamstats count as NbrOfConsecuviteEvents BY TypeEvent reset_on_change=true
| reverse
| streamstats count as nb BY TypeEvent reset_on_change=true
| where nb=1
Hope it helps
KailA
Thanks for your help. It works for me.
Let's say your field is "eventName", try something like
| autoregress eventName
| eval consecutiveEvent=if(eventName_p1=eventName, 1, 0)
| streamstats current=t count(eval(consecutiveEvent=0)) AS eventGroup
| stats values(eventName) AS eventName, count BY eventGroup
It would be best to assign each value to a field. Then you can do:
your_search | stats count by type_event
where type_event = bookingEvent OR type_event = failureEvent.
But just based on your raw data above, this should work:
your_search | rex field=_raw "(?<type_event>\w+)Event" | stats count by type_event
The other data might be needed to properly correlate these events.
Hi,
I have similar issue and I have one more column Date with the column he shared.
Date : Status
1/1/2018 : Green
1/2/2018 : Green
1/3/2018 : Red
1/4/2018 : Green
1/5/2018 : Red
Desired result is :
Status : Count
Green : 2
Red : 1
Green : 1
Red : 1
there is other data yes, i have simplified it for the purpose of this question.
Do you have any other data in the log?
thanks alacercogitatus, this gives a count of all events over the time period which is not what I want. I want to produce a count of the consecutive like events.