Hi Splunkers,
I am stuck in a situation where I have been provided an input lookup file containing operational hours of a train.
9-10 10-11 11-12 12-13 13-14 14-15 15-16 16-17 ...................23-24
Today 1 2 3 4 5
T-1 1 2 3 4 5
T-2 1 2 3 4 5
T-3 1 2 3 4 5
Bin Size is 1 hour in this case and schedule of the same train for the previous 3 days has been provided with the same bin size. Scenario: Today's schedule is that the train's 1st hour of operation is 9-10 and 2nd hour of operation is 10-11 and so on. everyday train is running for 5 hours. so in the table 5 hours of operations are mentioned.
Let's say as per current time I am in the 1st hour of operation so I need to consider the 1st hour of operation for the last 3 days count their alarmopened and divide it by 3 to get the average. If today, number of alarm opened in 1st hour of operation is more than the average calculated on the basis of 1st hour of operation for the last 3 days, it will give alerts.
Question: How I can mark the hour of operations of previous days. If today I am in 2nd hour of operation, how to get the count of alarm opened in 2nd hour of operation in previous 3 days?
Logically I am able to understand the scenario but can't think of implement in splunk. Please guide.
Hope my question is clear.
TIA
↧