Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count as 1 if two rows have two identical field but in the opposite order

ngerosa
Path Finder
‎07-05-2017 05:42 AM

Hello!
I extract everyday from db a list of events that have the following fields:

NODO_A NODO_Z DELTA TIMESTAMP

I want to count as 1 event if there is a couple of NODO_A NODO_Z but in the opposite order with a max difference of 5 minutes in TIMESTAMP field.

Example:

MILAN ROME 14.6 2017-06-28 11:32:02
ROME MILAN 17.2 2017-06-28 11:32:15
TURIN MILAN 11.1 2017-06-21 17:11:19
MILAN TURIN 10.4 2017-06-21 17:12:03

As the result I want:

MILAN ROME 1
MILAN TURIN 1

Can anyone help me?

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-05-2017 07:59 AM

Give this a try
Updated Turn out there were several typo in my original answer. Try this one.

Your current search giving field NODO_A NODO_Z DELTA TIMESTAMP
| eval commonfield=mvsort(split(NODO_A."#".NODO_Z,"#")) | nomv commonfield | eval epochtime=round(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S"))
 | sort commonfield epochtime | streamstats current=f window=1 values(epochtime) as prevtime by commonfield
 | eval duration=epochtime-prevtime | where duration<300 
 | stats count by commonfield

This is runanywhere sample search with your sample data.

| gentimes start=-1 | eval temp="MILAN ROME 14.6 2017-06-28 11:32:02#ROME MILAN 17.2 2017-06-28 11:32:15#TURIN MILAN 11.1 2017-06-21 17:11:19#MILAN TURIN 10.4 2017-06-21 17:12:03" | table temp | makemv temp delim="#" | mvexpand temp | rex field=temp "(?<NODO_A>\S+) (?<NODO_Z>\S+) (?<DELTA>\S+) (?<TIMESTAMP>.+)" | fields - temp | rename COMMENT as "This is just to generate sample data" 
| eval commonfield=mvsort(split(NODO_A."#".NODO_Z,"#")) | nomv commonfield | eval epochtime=round(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S"))
 | sort commonfield epochtime | streamstats current=f window=1 values(epochtime) as prevtime by commonfield
 | eval duration=epochtime-prevtime | where duration<300 
 | stats count by commonfield

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-05-2017 07:59 AM

Give this a try
Updated Turn out there were several typo in my original answer. Try this one.

Your current search giving field NODO_A NODO_Z DELTA TIMESTAMP
| eval commonfield=mvsort(split(NODO_A."#".NODO_Z,"#")) | nomv commonfield | eval epochtime=round(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S"))
 | sort commonfield epochtime | streamstats current=f window=1 values(epochtime) as prevtime by commonfield
 | eval duration=epochtime-prevtime | where duration<300 
 | stats count by commonfield

This is runanywhere sample search with your sample data.

| gentimes start=-1 | eval temp="MILAN ROME 14.6 2017-06-28 11:32:02#ROME MILAN 17.2 2017-06-28 11:32:15#TURIN MILAN 11.1 2017-06-21 17:11:19#MILAN TURIN 10.4 2017-06-21 17:12:03" | table temp | makemv temp delim="#" | mvexpand temp | rex field=temp "(?<NODO_A>\S+) (?<NODO_Z>\S+) (?<DELTA>\S+) (?<TIMESTAMP>.+)" | fields - temp | rename COMMENT as "This is just to generate sample data" 
| eval commonfield=mvsort(split(NODO_A."#".NODO_Z,"#")) | nomv commonfield | eval epochtime=round(strptime(TIMESTAMP,"%Y-%m-%d %H:%M:%S"))
 | sort commonfield epochtime | streamstats current=f window=1 values(epochtime) as prevtime by commonfield
 | eval duration=epochtime-prevtime | where duration<300 
 | stats count by commonfield
0 Karma
Reply
Solved! Jump to solution

ngerosa
Path Finder
‎07-05-2017 01:19 PM

Hi somesoni2,
the search retrieve no results.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-05-2017 01:55 PM

Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

ngerosa
Path Finder
‎07-13-2017 06:10 AM

It partially works.
The search have basically two problems:
1) If there is a couple of NODO_A NODO_Z that don't have any value in common with other couple, the duration field is null. If in the where clause I include the null value I also include duplicate in commonfield value
2)With where duration<300 I exclude also the couple NODO_A NODO_Z with a difference in timestamp more than 300s

MILAN ROME 14.6 2017-06-28 11:32:02
MILAN TURIN 10.4 2017-06-21 17:12:03
ROME MILAN 17.2 2017-06-28 13:32:15
TURIN MILAN 10.4 2017-06-21 17:18:03

In this case I want
MILAN ROME 2
MILAN TURIN 1

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...