- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to sum consecutive success of sequential o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to sum consecutive success of sequential order of events fileds comes?
My fields contains " search | eval status=if(value>10,Success,failure) | table Name message status
Name Message Status
blah...blah.......Success
Blah...blah........Success
Blah..Bhalh......failure
blah...blah.......Success
Blah...blah........Success
Blah..Bhalh......failure
Blah..Bhalh......failure
Blah..Bhalh......failure
blah...blah.......Success
Blah...blah........Success
blah...blah.......Success
Blah...blah........Success
Output should be
Name Message Status count
blah ...blah .......Success 1
Blah...blah........Success 2
Blah..Bhalh......failure 0
blah...blah.......Success 1
Blah...blah........Success 2
Blah..Bhalh......failure 0
Blah..Bhalh......failure 0
Blah..Bhalh......failure 0
blah...blah.......Success 1
Blah...blah........Success 2
blah...blah.......Success 3
Blah...blah........Success 4
like that
can anyone provide the query for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 6.6v
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk are you using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@karthikeyan_k14, please try out the following run anywhere search with the sample data as per your question. Your scenario seems to be use case for streamstats to count Successful events (sorted in chronological order as per requirement). Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats
PS: I have added first dummy row as failure to get the counts correct in case your indexed events start with Success. So, commands until | appendcols are required.
The | makeresults command afterwards until | table should be replaced with your actual Splunk Search.
Following streamstats command should do the trick:
| streamstats count reset_before="("Status==\"failure\"")" current=f
Following is the complete run anywhere search for your reference:
| makeresults
| eval Name="DummyFirstRowName"
| eval Message="DummyFirstRowMsg"
| eval Status="failure"
| fields - _time
| appendcols [| makeresults
| eval data="blah blah Success;Blah blah Success;Blah Bhalh Success;blah blah failure;Blah blah Success;Blah Bhalh Success;Blah Bhalh failure;Blah Bhalh failure;blah blah Success;Blah blah Success;blah blah Success;Blah blah Success;"
| makemv delim=";" data
| mvexpand data
| eval data=split(data," ")
| eval Name=mvindex(data,0),Message=mvindex(data,1),Status=mvindex(data,2)
| table Name Message Status
| streamstats count reset_before="("Status==\"failure\"")" current=f]
As per your question and sample data seems like Name and Message fields are not to be considered for streamstats so I have left them alone in the table. Please try out and confirm.
| makeresults | eval message= "Happy Splunking!!!"
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
