https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103071#M26634 <P>I'm trying to plot total load-avg vs number of processors in a cluster (i.e. how loaded is the system). The following basically works:</P> <P><TT>numproc OR loadshort | transaction xid | bucket span=10m _time | timechart span=10m sum(numproc) sum(loadshort)</TT></P> <P>Except we occasionally see multiple data items posted in a given 10min window -- e.g. {host,load1,numproc,time1} and {host,load2,numproc,time2} both land in the same time-bucket. The above commands adds in the numproc value twice, which obscures the real load on the system.</P> <P>Is there a way to dedup the data after its been bucketed? or, maybe said another way, to dedup the data within a single bucket?</P> Tue, 17 May 2011 00:33:49 GMT jbp4444 2011-05-17T00:33:49Z https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103071#M26634 <P>I'm trying to plot total load-avg vs number of processors in a cluster (i.e. how loaded is the system). The following basically works:</P> <P><TT>numproc OR loadshort | transaction xid | bucket span=10m _time | timechart span=10m sum(numproc) sum(loadshort)</TT></P> <P>Except we occasionally see multiple data items posted in a given 10min window -- e.g. {host,load1,numproc,time1} and {host,load2,numproc,time2} both land in the same time-bucket. The above commands adds in the numproc value twice, which obscures the real load on the system.</P> <P>Is there a way to dedup the data after its been bucketed? or, maybe said another way, to dedup the data within a single bucket?</P> Tue, 17 May 2011 00:33:49 GMT https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103071#M26634 jbp4444 2011-05-17T00:33:49Z https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103072#M26635 <P>Might be easiest to just use <CODE>first()</CODE> instead, which will give you the most recent <CODE>numproc</CODE> in each bucket. I'll assume <CODE>numproc</CODE> doesn't change, though if it did, you might just use <CODE>avg()</CODE>:</P> <PRE><CODE>numproc OR loadshort | transaction xid | bucket span=10m _time | timechart span=10m first(numproc) sum(loadshort) </CODE></PRE> Tue, 17 May 2011 02:15:24 GMT https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103072#M26635 gkanapathy 2011-05-17T02:15:24Z https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103073#M26636 <P>Thanks for the quick reply gkanapathy -- that's definitely in the right direction. But there are multiple hosts producing the {numproc,loadshort} data, and I want to sum each item across all those machines. My understanding is that 'first' would give only one value from one host.</P> <P>Maybe some combination of 'first .. by host' then a separate summation command?</P> Tue, 17 May 2011 13:04:33 GMT https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103073#M26636 jbp4444 2011-05-17T13:04:33Z https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103074#M26637 <P>Looks like dedup might work after all -- I didn't realize you could dedup based on more than one field:</P> <P>numproc OR loadshort | transaction xid | bucket span=10m time | dedup host time | timechart span=10m sum(loadshort) sum(numproc) </P> <P>Since bucket discretized the timestamps, the {host,time} pairs are duplicates and dedup can take care of them (time should be underscore-time).</P> Tue, 17 May 2011 13:28:18 GMT https://community.splunk.com/t5/Splunk-Search/Bucket-Timechart-and-Dedup/m-p/103074#M26637 jbp4444 2011-05-17T13:28:18Z