Solved: What is the best way to count the number of times ...

606866581 · ‎02-17-2017

Hi Everyone,

I've been using Splunk for a few years but I'm looking for a nice way to capture the number of times a user has changed a particular setting. For simplicity sake the setting can be 1 or 0.

2017-02-17 01:00:00 IP=1.1.1.1 Setting=0
2017-02-17 02:00:00 IP=1.1.1.1 Setting=0
2017-02-17 03:00:00 IP=1.1.1.1 Setting=1
2017-02-17 03:00:00 IP=2.2.2.2 Setting=0
2017-02-17 04:00:00 IP=2.2.2.2 Setting=1
2017-02-17 05:00:00 IP=1.1.1.1 Setting=0
2017-02-17 05:00:00 IP=1.1.1.1 Setting=0

I'm looking to produce a table to summarize this which will look like:

IP, Times toggled
1.1.1.1, 2
1.1.1.1, 1

The dataset is too large to use transaction so I'm hoping there's a nifty command that I can use which caters for this.
Thanks!

somesoni2 · ‎02-17-2017

Give this a try

your current search which include fields _time IP and Setting
| sort 0 IP _time
| streamstats current=f window=1 values(Setting) as prevSetting by IP 
| where Setting!=prevSetting
| stats count as "Times Toggled" by IP

View solution in original post

somesoni2 · ‎02-17-2017

Give this a try

your current search which include fields _time IP and Setting
| sort 0 IP _time
| streamstats current=f window=1 values(Setting) as prevSetting by IP 
| where Setting!=prevSetting
| stats count as "Times Toggled" by IP

niketn · ‎02-17-2017

You can try streamstats

<Your Base Search>
| streamstats count by IP reset_on_change=true

Please refer to the documentation on the same: http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Streamstats

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

What is the best way to count the number of times a field has been changed or toggled?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases