Splunk count consecutive events based on value?

Question

I am facing an availability monitoring issue here. We do have a heartbeat set up in splunk which tells whether the app is up or not with status = 0 or 1 every minute. The thing is, that sometimes a fail occurs for one event (for no reason, since the app is running) and it lowers the availability rating of the application which is based on this.

Is it possible to set up a chart that ignores events if they did not happen 5 times in a row?

Example:

_time   Status
00:01   1
00:02   1
00:03   1
00:04   0
00:05   1
00:06   1
00:07   1
00:08   1
00:09   1
00:10   1
00:11   1

If a 0 occurs, i want to check whether it apeared in 4 previous events aswell and only then count it into my chart - if not i want to treat it as false positive.

score 0 · Accepted Answer · answered Mar 26 '20 at 18:31

0

You can do that with streamstats.

<your existing search>
| streamstats count by Status reset_on_change=true
| where (Status=0 AND count>4)

answered Mar 26 '20 at 18:31

RichG

9,063
2
18
29

Splunk count consecutive events based on value?

1 Answers1