We have periodic events of the same kind and I want to count the time (duration) and the number of other events (eventcount) between them. For example, consider streams of events coming from different stream
s:
stream=1: Marker
stream=2: Marker
stream=1: Marker
stream=3: Marker
stream=3: Marker
stream=2: Marker
I tried using a transaction with the same start- and stop- condition:
transaction stream startswith=Marker endswith=Marker
expecting it to do what I want -- but instead, every such "transaction" has a duration of 0 and event-count of 1. Instead of three transactions in the above example, I got six...
How can I create a stream of transactions, where the starting event of the next one is also the ending event of the previous?
Like this:
Your Search Here
| streamstats count(eval(YourMarkerFieldHere="YourMarkerValueHere")) AS sessionID
| stats count BY sessionID
| makeresults count=2
| streamstats count
| eval _time=if((count == 2),relative_time('_time',"-1@d"),relative_time('_time',"@m"))
| makecontinuous span=1m
| eval stream=((random() % 3) + 1)
`comment("this is sample data")`
| streamstats count
| xyseries count stream _time
| sort count
| eval count=1
| stats delim="," list(*) as stream* by count
| eval count=max(mvcount(stream1),mvcount(stream2),mvcount(stream3))
| eval counter=mvrange(1,count)
| mvexpand counter
| foreach stream*
[eval stream_<<MATCHSTR>> = mvindex(<<FIELD>>,counter - 1)]
| autoregress stream_1 as stream_1_p
| autoregress stream_2 as stream_2_p
| autoregress stream_3 as stream_3_p
| fields stream_*
| foreach stream_* stream_*_p
[eval duration_stream_<<MATCHSEG1>>= round(stream_<<MATCHSEG1>> - stream_<<MATCHSEG1>>_p)]
| foreach stream_*
[eval <<FIELD>>=strftime(<<FIELD>>,"%F %T")]
| fields - stream_*_*
I tried various things on the premise of extracting the stream
fields.
@unitedmarsupials
Sample events and expected output will be help us to work on your issue.