Consecutively two times- possible ?

reverse · ‎10-23-2019

 _time                 entity_id    value      duration
 2016-01-21 06:52:04    lightA        1           770
 2016-01-21 06:52:09    lightB        1           765
 2016-01-21 06:52:10    lightC        1           769
 2016-01-21 07:04:54    lightB        0           664
 2016-01-21 07:04:54    lightA        0           663
 2016-01-21 07:04:59    lightC        0           9416
 2016-01-21 07:15:57    lightC        1           8776
 2016-01-21 07:15:58    lightB        1           8775

assuming above is the outcome of my query . I want to reduce this result to data where lightC came Consecutively in two rows back to back .. possible ?

to4kawa · ‎10-24-2019

| stats count
| eval _raw="time,entity_id,value,duration
2016-01-21 06:52:04,lightA,1,770
2016-01-21 06:52:09,lightB,1,765
2016-01-21 06:52:10,lightC,1,769
2016-01-21 07:04:54,lightB,0,664
2016-01-21 07:04:54,lightA,0,663
2016-01-21 07:04:59,lightC,0,9416
2016-01-21 07:15:57,lightC,1,8776
2016-01-21 07:15:58,lightB,1,8775"
| multikv forceheader=1
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S")
`comment("this is sample data")`
| table _time,entity_id,value,duration
`comment("this is sample data")`
| where entity_id=="lightC" AND value==1

Hi, this is sample query.

_time   entity_id   value   duration
2016/01/21 06:52:10 lightC  1   769
2016/01/21 07:15:57 lightC  1   8776

Is this the result you expected?

arjunpkishore5 · ‎10-23-2019

Possible. However, since I don't have more details on what the final outcome is, I don't have a code sample.

Take a look at streamstats with the reset_on_change flag.
https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Streamstats

Consecutively two times- possible ?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!