Solved: Count of a large number of events by punct by minu...

cpeteman · ‎07-10-2013

So the intent is to have a field that returns the time stamp of a large number of similar events (same punct field) if it meets a certain condition. For example let's say the number of events in a minute with a certain punct is more than 100. I would like to get both the punct and the time stamp as fields. What I have right now and what should be a good start is:

search_terms | bucket _time span=1m | stats count by punct,_time | stats mean(count),count by punct |eval test=if(count>100,"True","False")

All this will do however is see if the total number of events with that punct is greater than 100 not if the number of events in a single minute. I'll also need the sime stamp but that's not a problem after I get this first part working.

cpeteman · ‎07-10-2013

Well this question was a little easy actually. looks like I didn't need to post it here. For those who are curious:

search_terms | bucket _time span=1m | stats count by punct,_time | stats mean(count),sum(count) AS sum by punct,_time |eval test=if(sum>100,"True","False")

All that was needed was for me to use sum(count) and add a _time field. Cheers!

View solution in original post

cpeteman · ‎07-10-2013

Well this question was a little easy actually. looks like I didn't need to post it here. For those who are curious:

search_terms | bucket _time span=1m | stats count by punct,_time | stats mean(count),sum(count) AS sum by punct,_time |eval test=if(sum>100,"True","False")

All that was needed was for me to use sum(count) and add a _time field. Cheers!

Count of a large number of events by punct by minute

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!