Splunk Search

Splunk7: Status = Count Up when PV's Value transits from 0 to 1

htkwan
Path Finder

Hello,
I'm new to Splunk. Need advice. Want to do a count-up (Step) when a Tag's value (PV) transits from 0 to 1. Step is a new field.
_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0

Pls. advise. Thanks

Tags (2)
0 Karma

tiagofbmm
Influencer

This way you still keep the PV

yoursearch
    | delta PV as Transition
    | sort -_time
    | streamstats sum(PV) as RunCount reset_before=PV=0
    | eventstats sum(eval(if(Transition==1,1,0))) as Total_0_to_1_Transitions
    | fields _time, RunCount, PV, Total_0_to_1_Transitions
0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

htkwan
Path Finder

Hello tiagofbmm,
Just try. I need the "Step" to count when the PV transits from 0 to 1. See, below, a sample result (table). I'll need the Step for further work. I appreciate your advice.

_time PV Step
3/24/2018 11:00:00 1 0
3/24/2018 11:00:01 1 0
3/24/2018 11:00:02 1 0
3/24/2018 11:00:03 0 0
3/24/2018 11:00:04 0 0
3/24/2018 11:00:05 1 1
3/24/2018 11:00:06 1 2
3/24/2018 11:00:07 1 3
3/24/2018 11:00:08 1 4
3/24/2018 11:00:09 0 0
3/24/2018 11:00:10 0 0
3/24/2018 11:00:11 0 0
3/24/2018 11:00:12 0 0
3/24/2018 11:00:13 0 0
3/24/2018 11:00:14 1 1
3/24/2018 11:00:15 1 2
3/24/2018 11:00:16 1 3
3/24/2018 11:00:17 1 4
3/24/2018 11:00:18 1 5
3/24/2018 11:00:19 1 6
3/24/2018 11:00:20 1 7
3/24/2018 11:00:21 0 0
3/24/2018 11:00:22 0 0
3/24/2018 11:00:23 0 0
3/24/2018 11:00:24 0 0
3/24/2018 11:00:25 0 0

0 Karma

htkwan
Path Finder

Hello tiagofbmm,
I'm interested in the countup when the PV transits from 0 to 1, not the total number of transitions. Pls advise. Thanks

0 Karma

tiagofbmm
Influencer

Did you try this search? It counts when the PV transits from 0 to 1 and also gives you the run count. Try it and let me know

  yoursearch
     | delta PV as Transition
     | sort -_time
     | streamstats sum(PV) as RunCount reset_before=PV=0
     | where Transition=1
     | eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
     | stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
0 Karma

tiagofbmm
Influencer

And if you want run count for each transition too, try this

 yoursearch
    | delta PV as Transition
    | sort -_time
    | streamstats sum(PV) as RunCount reset_before=PV=0
    | where Transition=1
    | eventstats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
    | stats values(RunCount) as RunCount, values(_time) as Time by 0_to_1_Transitions
0 Karma

htkwan
Path Finder

Hello Giuseppe,
I'm sorry. I've not explained well. I want to know when the PV transits from 0 to 1 (i.e. start of a process run), and a count-up of the events in the run. There can be a number of runs. Pls. refer to my table. There are 2 runs. 1st run has 4 events; while 2nd run has 7 events. Later, i want to compare the runs' countup, say Run 1 & 2 at Step 3.

Pls. advise. Thanks.

0 Karma

tiagofbmm
Influencer

Hello

Please try this code to count 0 to 1 transitions:

yoursearch
    | delta PV as Transition
    | stats sum(eval(if(Transition==1,1,0))) as 0_to_1_Transitions
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi htkwan,
if you want to know when PV transit from 0 to 1 you could run a search like this:

your_index PV=1
| table _time PV Step

if you want to know how many times PV passed from 0 to 1 you could run:

your_index PV=1
| stats count

Bye.
Giuseppe

0 Karma

tiagofbmm
Influencer

0 to 1 and 1 to 0 is not the same thing 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...