Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counter for when event occurs one or more times

cpeteman
Contributor
‎07-07-2013 04:27 PM

I want to set up a search for when an event occurs one or more times in a minute (just whether or not it occurred not the total count). This along with sum stats functions I'll use to figure out whether or not an event is a regular check or an anomaly. As in if the stdev is zero and the sum is high and I need to check to see if there has been many events, implying that they are a regular message, or a single event implying that there is a problem.

More detail:

I have all results in a table by punct with relevant stats listed and I want one of those relevant fields to be a variable that checks whether or not an event occurred in a minute (regardless of how many times) adds those up over the entire search time and put it in the same row as that punct. Hope this makes every thing more clear.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-08-2013 10:33 AM 
... | bucket _time span=1m | stats count by _time,punct | eval occurred=if(count!=0,1,0) | stats sum(occurred) by punct

or

... | bucket _time span=1m | stats count by _time,punct | stats sum(eval(if(count!=0,1,0))) by punct

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-08-2013 10:33 AM 
... | bucket _time span=1m | stats count by _time,punct | eval occurred=if(count!=0,1,0) | stats sum(occurred) by punct

or

... | bucket _time span=1m | stats count by _time,punct | stats sum(eval(if(count!=0,1,0))) by punct
Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-08-2013 10:44 AM

They appear to both work as desired thanks a bunch!

Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-08-2013 10:35 AM

I like it. I have the: "| bucket _time span=1m | stats count by _time,punct |" part already. I'll let you know how it works

Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-08-2013 10:11 AM

Not quite but It sounds like a good place to start (except I don't plan on this being an alert really...) so I will take a look. I added a lot more to the question to make it more clear I hope.

Reply
Solved! Jump to solution

linu1988
Champion
‎07-08-2013 09:38 AM

From your case i suspect it will be a realtime thing. Put your search and schedule it from "rt - 1m" to "rt". It will keep searching the time window. If the case satisfies you can set up an alert. Hope i understand it correctly. Thanks

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...