Grouping a "time" span from one true value to anot...

krwinters11 · ‎12-08-2014

I have a boolean value in my data set. I want to group all event together that are between the event(a) right after a boolean value goes true all the way through to the next event(b) with a true value. So then the next grouping would start at the next event(c) (directly after the event(b)) and include every event through to the next event(d) with a true value, and so on.

My difficulties are coming from the fact that is is not actually based on a time field and the time between true events, constantly changes. Is it possible for this to be calculated on the fly, while doing a search. In the end, I would like to look at several of these groups to then use the predict command.

If I am not clear, please ask me to elaborate further. The question probably seems clearer in my head...

DalJeanis · ‎04-26-2017

Sounds like what you want is the transaction command, with the startswith= set to detect your boolean true.

You could also do something like ...

| makeresults  | eval mybool="T F F F T F T F T T F F F F T F" | makemv mybool | mvexpand mybool 
| streamstats count as recno | eval _time = relative_time(now(),"-1h@h") + 60*recno
| rename COMMENT as "The above just generates some events with mybool=T or mybool=F."

| streamstats count(eval(mybool="T")) as setno

Each record will then have a value for setno based on the last event that mybool was true.

kenvanderheyden · ‎12-30-2014

Hello,

If I understand correctly you want to calculate the time between the "true" events based on another field than the _time ?

You can do this, using the delta between the "true" events as follows:

This calculates the time between events in days, and displays the results in a timechart with span of 1 week (7 days).
Hope this helps.

Regards,
Ken.

Grouping a "time" span from one true value to another

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!