Solved: For all occurences, get the duration of a value dr...

jpass · ‎05-23-2017

I have events that show signal strength. What I want to do is determine the start_time, end_time and duration of any period where the signal strength drops below what is considered 'normal'. My events have two different signals: signal_id=1 and signal_id=2.

Example event:
_time, signal_id, signal_strength, normal_signal
2017-05-16 16:17:28, 1,17.38,14.28

Output I'd like to see:
start_time,end_time,duration,signal_id

woodcock · ‎05-23-2017

Like this:

Your Base Search Here
| streamstats count(eval(signal_strength>=normal_signal)) AS sessionID BY signal_id
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration count AS numEvents BY signal_id sessionID
| search numEvents>1

View solution in original post

woodcock · ‎05-23-2017

Like this:

Your Base Search Here
| streamstats count(eval(signal_strength>=normal_signal)) AS sessionID BY signal_id
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration count AS numEvents BY signal_id sessionID
| search numEvents>1

jpass · ‎05-23-2017

Yes thank you much.

For all occurences, get the duration of a value dropping below a threshhold

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life