topic Re: map over makecontinuous not working ... in Splunk Search

map over makecontinuous not working ...

JeToJedno — Wed, 15 Nov 2017 15:37:38 GMT

I'm trying to fill in the gaps in a set of data, where there are different gaps for each of the types.

I've tried:

... | appendpipe [ stats FIRST(device_id) AS device_id BY day, device_type | map maxsearches=20 search="where device_type=\"$device_type$\" | makecontinuous day span=1 | where ISNULL(device_type) | eval device_type=\"$device_type$\", device_id=\"$device_id$\" " ] ...

But I get no results from that. I've tried multiple variants of this, with & without quotes, with & without the wheres. All give me nothing ...
The makecontinuous on its own does create the missing entries, but without the relevant device_type values, and without multiple events (one for each missing type) on each day.

Any advice / comment / better way of doing this?

Thanks
David

Re: map over makecontinuous not working ...

cmerriman — Wed, 15 Nov 2017 20:57:05 GMT

what is before the appendpipe?

Re: map over makecontinuous not working ...

DalJeanis — Wed, 15 Nov 2017 21:44:43 GMT

I'm not sure what you believe your code is supposed to do.

The first thing I would try is to put a pipe before stats.

The second thing would be to turn the search from the map search= into a valid search, by at the very least starting it with the keyword search.

Before I did any of that, though, I would describe here in plain English what you are trying to achieve and see whether or not the community is able to give you the desired syntax.

Re: map over makecontinuous not working ...

JeToJedno — Thu, 16 Nov 2017 10:11:13 GMT

a search that summarises log entries by day and device_type, giving active and concurrent active, along with concurrent registrations (credential validity is renewed daily and are valid 7 days from last use).

Re: map over makecontinuous not working ...

JeToJedno — Thu, 16 Nov 2017 10:13:02 GMT

What I'm trying to do is fill in the gaps in the results of the previous search, which summarises log entries. On some days, for some device types, there are no entries so there are gaps ... and I'd like those filled in, for each device type.

Re: map over makecontinuous not working ...

JeToJedno — Thu, 16 Nov 2017 10:22:51 GMT

The code is intended to fill in gaps in the results from the previous search. That produces results by day and device_type, but not all days have results for all device types.
The gaps make some graphs and subsequent analyses perform strangely.

Re: map over makecontinuous not working ...

cmerriman — Thu, 16 Nov 2017 12:50:19 GMT

are you using stats or chart before the appendpipe?
if you have duplicate day values, makecontinuous will not work.

can you try (edit chart syntax to fit your needs)

|chart count(device_id) as devices by day device_type
|makecontinuous day
|fillnull value=0

Re: map over makecontinuous not working ...

JeToJedno — Thu, 16 Nov 2017 13:28:27 GMT

Thanks. I was aware of that deficiency in makecontinuous and trying to avoid it. I can make it work by adding multiple appendpipes with makecontinuous, one for each device_type, but that needs editing every time that list of device types changes. e.g.

| appendpipe [ where device_type=1 | makecontinuous day | where ISNULL(device_type) | eval device_type=1 ]
| appendpipe [ where device_type=2 | makecontinuous day | where ISNULL(device_type) | eval device_type=2 ]
elc ...