Archive

## Can Splunk find love?

SplunkTrust

Since Valentine's Day is near,
Splunk can search for everything. And it might find love, I thought.

How?

Tags (1)
1 Solution
SplunkTrust

Hey, Look. I find it!

``````| makeresults count=2
| streamstats count as x
| eval x=if(x=1,0.00000,1.80000)
| makecontinuous x span=0.01
| eval z=split("A#B#C#D","#")
| stats values(x) as x by z
| stats count by x z
| eval y = case(x < 1 AND (z="A" OR z="C"),exact(pow(x,(2/3))) + exact(sqrt(1 - pow(x,2)))
,x < 1 AND (z="B" OR z="D"),exact(pow(x,(2/3))) - exact(sqrt(1 - pow(x,2))))
| eval x = if(z="C" OR z="D",x * -1, x)
| table x , y
| sort 0 x
| rename y as LOVE
``````
SplunkTrust

Hi,everyone
Thank you for so many answers.
Can splunk find love?
`yes`

# Happy Valentine's Day and Happy Splunking!

SplunkTrust

Hey, Look. I find it!

``````| makeresults count=2
| streamstats count as x
| eval x=if(x=1,0.00000,1.80000)
| makecontinuous x span=0.01
| eval z=split("A#B#C#D","#")
| stats values(x) as x by z
| stats count by x z
| eval y = case(x < 1 AND (z="A" OR z="C"),exact(pow(x,(2/3))) + exact(sqrt(1 - pow(x,2)))
,x < 1 AND (z="B" OR z="D"),exact(pow(x,(2/3))) - exact(sqrt(1 - pow(x,2))))
| eval x = if(z="C" OR z="D",x * -1, x)
| table x , y
| sort 0 x
| rename y as LOVE
``````
Splunk Employee

Just don't use the Drake equation...you'll be seriously depressed.

SplunkTrust

too little!!
But I believe to find a little more.

Builder

When I `set` my eyes upon you, dearest Splunky
And `lookup` at my `rare` love,
My mind doth `return`
`from` a `search` for a perfect `union`.

Who could `predict`
We could `sort` our `diffs` and `join`?
As I `crawl` with my `tail` between my legs
To `join` my `top` love once again!

I never `metadata` source so robust and `uniq`
From `head` to `tail`,
Dearest Splunky, which none can `replace`.

SplunkTrust
``````| windbag
| regex "[love]"
``````
Influencer

True love is the greatest thing in the world - except for a nice MLT - mutton lettuce and tomato san... but when discussing the application of mathematics and technology in the search for love, I feel it's important to keep in mind that your normal approach is useless here:

But, Splunk enables you to bring data from Everything, and apply it to Everything. So what are you passionate about? You could use that power for good causes and enable the charities that you are passionate about. Or maybe you're passionate about other things... maybe cars, or barbeque, or parties, brewing, or anything else you can think of. It's simply a matter of getting that data into Splunk to start analyzing it to help making decisions to improve things

And on that journey of bringing data to your passions, there have been and continue to be a lot of awesome people in the worldwide Splunk Community... Between Slack, here on Answers, Reddit, many local user groups, and lots of other places around the world and online, there are so many folks, passionate in their respective areas, who are willing to help and talk and spread new ideas about the uses of Splunk, Phantom, VictorOps, SignalFX, Omnition, UBA, DSP, and many other solutions supported by Splunk, Inc, and even those used often around Splunk solutions, to make everyone's work and personal lives better. Some of them may even share your particular passions as well!

The Splunk community is the heart of Splunk... and finding them was an experience of finding my people. I love those who have mentored me there, and I love giving back and helping others find that same spark that I had with it. Because of the Splunk Community, .conf has become much more than just a Vendor conference to learn what's new and awesome around Splunk... for me and others, it's become that camp where I know I'll be able to see in person and catch up with all the people I love, and have missed seeing them in person over the past year. These people have both seen me at my best, and helped me through my worst... and there are even a few of them where I would hop on a plane at a moments notice to come help if they needed me to.

So sure Splunk helped me find love...

Perhaps somewhat differently than you may have intended... but what is love?

SplunkTrust

Oh,
Old days you sang Never gonna give you up, now such a sad song

`what is love?` I don't know , too.
But I want to find a little more.

Contributor
SplunkTrust

Thank you, It will be helpful.
But I want to find a little more.

Ultra Champion

https://www.splunk.com/en_us/blog/tips-and-tricks/valentines2015.html

If my comment helps, please give it a thumbs up!
SplunkTrust

Thank you, there was such an article.
But I want to find a little more.

SplunkTrust
``````<form>
<label>text to bin</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="field1">
<label>Text</label>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=1112
| streamstats current=f count
| where match(count,"^[01]?[01]?[01]?[01]\$\$")
| eval count =printf("%04d",count)
| stats list(count) as hex2bin
| eval counter = mvappend(mvrange(0,10),split("abcdef",""))
| appendcols [| makeresults count=256
| streamstats count as code
| eval ascii=printf("%c",code)
| stats values(ascii) as ascii
| eval code=mvrange(1,256)]
| eval text="\$field1\$"
| appendpipe [
| eval text_len=mvrange(1,len(text)+1)
| rex field=text_len mode=sed "s/(\d+)/bin_\1/g"
| stats count by text_len
| foreach bin_*
[ eval <<FIELD>> = mvindex(split(text,""),<<MATCHSTR>> -1)
| eval <<FIELD>> = mvindex(code,mvfind(ascii,<<FIELD>>))
| eval <<FIELD>>_upper = printf("%x",floor(<<FIELD>> / 16))
| eval <<FIELD>>_lower = printf("%x",(<<FIELD>> % 16))
| eval <<FIELD>>_upper=mvindex(hex2bin,mvfind(counter,<<FIELD>>_upper))
| eval <<FIELD>>_lower=mvindex(hex2bin,mvfind(counter,<<FIELD>>_lower))
| eval result=mvappend(result,<<FIELD>>_upper,<<FIELD>>_lower)]
| table text result
| eval result=mvjoin(result," ")</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
</row>
</form>
``````

SplunkTrust

Try this dashboard to find out the answer:

https://pastebin.com/Rw4DM0RC

Sorry for the pastebin link, but the forum keeps giving 500 error when I post the code here.

``````<form>
<label>Valentine's Day Slots by Michael Camp Bentley</label>
<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="bet" searchWhenChanged="true">
<label>Bet Amount</label>
<choice value="1">Bet \$1</choice>
<choice value="5">Bet \$5</choice>
<choice value="10">Bet \$10</choice>
<default>1</default>
<initialValue>1</initialValue>
</input>
</fieldset>
<row>
<panel>
<single>
<search>
<query>| makeresults count=1
| eval participants= printf("%c",tonumber("1F47C",16)).",".printf("%c",tonumber("2661",16)).",".printf("%c",tonumber("1F498",16)).",".printf("%c",tonumber("1F48F",16))
| makemv delim="," participants
| mvexpand participants
| streamstats count(participants) as count1
| stats range(count1) as range values(participants) as participants
| eval number_of_participants=tonumber(range+1)
| eval random=random()%\$\$number_of_participants\$\$
| eval a=upper(mvindex(participants,random))
| fields a
| appendcols
[| makeresults count=1
| eval participants= printf("%c",tonumber("1F47C",16)).",".printf("%c",tonumber("2661",16)).",".printf("%c",tonumber("1F498",16)).",".printf("%c",tonumber("1F48F",16))
| makemv delim="," participants
| mvexpand participants
| streamstats count(participants) as count1
| stats range(count1) as range values(participants) as participants
| eval number_of_participants=tonumber(range+1)
| eval random=random()%\$\$number_of_participants\$\$
| eval b=upper(mvindex(participants,random))
| fields b]
| appendcols
[| makeresults count=1
| eval participants= printf("%c",tonumber("1F47C",16)).",".printf("%c",tonumber("2661",16)).",".printf("%c",tonumber("1F498",16)).",".printf("%c",tonumber("1F48F",16))
| makemv delim="," participants
| mvexpand participants
| streamstats count(participants) as count1
| stats range(count1) as range values(participants) as participants
| eval number_of_participants=tonumber(range+1)
| eval random=random()%\$\$number_of_participants\$\$
| eval c=upper(mvindex(participants,random))
| fields c]
| eval earnings=case(
a==printf("%c",tonumber("1F48F",16)) AND b==printf("%c",tonumber("1F48F",16)) AND c==printf("%c",tonumber("1F48F",16)),1000,
a==printf("%c",tonumber("1F498",16)) AND b==printf("%c",tonumber("1F498",16)) AND c==printf("%c",tonumber("1F498",16)) ,500,
a==printf("%c",tonumber("2661",16)) AND b==printf("%c",tonumber("2661",16)) AND c==printf("%c",tonumber("2661",16)) ,250,
a==printf("%c",tonumber("1F47C",16)) AND b==printf("%c",tonumber("1F47C",16)) AND c==printf("%c",tonumber("1F47C",16)) ,100,
a==printf("%c",tonumber("1F48F",16)) AND b==printf("%c",tonumber("1F48F",16)) OR b==printf("%c",tonumber("1F48F",16))
AND c==printf("%c",tonumber("1F48F",16)) OR a==printf("%c",tonumber("1F48F",16)) AND c==printf("%c",tonumber("1F48F",16)),500,
a==printf("%c",tonumber("1F498",16)) AND b==printf("%c",tonumber("1F498",16)) OR b==printf("%c",tonumber("1F498",16))
AND c==printf("%c",tonumber("1F498",16)) OR a==printf("%c",tonumber("1F498",16)) AND c==printf("%c",tonumber("1F498",16)) ,250,
a==printf("%c",tonumber("2661",16)) AND b==printf("%c",tonumber("2661",16)) OR b==printf("%c",tonumber("2661",16))
AND c==printf("%c",tonumber("2661",16)) OR a==printf("%c",tonumber("2661",16)) AND c==printf("%c",tonumber("2661",16)) ,100,
a==printf("%c",tonumber("1F47C",16)) AND b==printf("%c",tonumber("1F47C",16)) OR b==printf("%c",tonumber("1F47C",16))
AND c==printf("%c",tonumber("1F47C",16)) OR a==printf("%c",tonumber("1F47C",16)) AND c==printf("%c",tonumber("1F47C",16)) ,10,
1=1,0)
| eval loss=if(earnings==0,\$bet\$,0)</query>
<earliest>1535385600.000</earliest>
<latest>1535474114.000</latest>
<sampleRatio>1</sampleRatio>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
<row>
<panel>
<html>
Contact the Author -> <a href="https://www.linkedin.com/in/remote-splunk-consultant-atlanta" alt="Link to Michael Bentley's LinkedIn Profile">Michael "JKat54" Bentley</a> -> Or Call 1-844-4SPLUNK for more details
</html>
</panel>
</row>
</form>
``````
SplunkTrust

I modify a little. so, I can provide your great query here!

SplunkTrust

SplunkTrust

Thank you, I didn't know I could do this.
But I want to find a little more and try your dashboard.

SplunkTrust

Sure, since splunk supports UTF, many of the "valentines" characters will work when eval'd like the white and black hearts below:

.conf21 CFS Extended through 5/20!

### Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Get Updates on the Splunk Community!