Group events that occur continuously and contain a...

ollie920049 · ‎09-05-2016

I would like to group continuous events that occur in order over time, and have a common name.

For example:

_time name
2016-09-05 10:15:36.691 A
2016-09-05 10:15:32.519 B
2016-09-05 10:15:22.708 C
2016-09-05 10:10:37.374 C
2016-09-05 10:10:25.848 B
2016-09-05 10:10:08.099 B
2016-09-05 10:10:03.349 B
2016-09-05 10:09:31.304 A
2016-09-05 10:09:16.339 A
2016-09-05 10:09:07.415 A

Would yield:
_time name count
2016-09-05 10:15:36.691 A 1
2016-09-05 10:15:32.519 B 1
2016-09-05 10:15:22.708 C 2
2016-09-05 10:10:25.848 B 3
2016-09-05 10:09:31.304 A 3

Stats and transaction seem to work over all events in a stream, and I haven't found an obvious was to cluster based on the continuous nature of the data.

Thanks in advance

somesoni2 · ‎09-05-2016

Try like this

your base search | streamstats current=f window=1 values(name) prev | eval temp=case(isnull(prev),1,prev!=name,1,true(),0) | accum temp| eventstats count by temp | fields - temp

renjith_nair · ‎09-05-2016

If the splunk version is 6.4 or above , try this

|streamstats count as s_c by name reset_on_change=true current=t

Happy Splunking!

Group events that occur continuously and contain a common name

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!