I have two sets of data in splunk -- every 10 minutes we get a host and watts measurement; every hour we get a host and cpu-model measurement (actually a constant, but we repeat it every hour).
How can I get the different data rates to match? i.e. can I add events that copy the slow/cpumodel data to a 10-min frequency; or can I do a subsearch for each fast/watts event, looking up the last slow/cpumodel event?
Not sure if this will render properly, but here's a cut-and-paste of the data from a simple "watts OR cpumodel" search:
1 5/9/13
3:19:26.000 PM
May 9 15:19:26 igspncbc-n16 duologger.pl[4028]: xid=1368127165 nfs_write=0.52 load_long=4.99 packets_out=2626.34 watts=236 virtual_free=35184026606592
host=igspncbc-n16 Options| sourcetype=syslog Options| source=/var/log/local4 Options
2 5/9/13
3:19:25.000 PM
May 9 15:19:25 igspnih-n66 duologger.pl[20519]: xid=1368127164 nfs_write=651.92 load_long=3.92 packets_out=32244.3 watts=224 virtual_free=35184026606592
host=igspnih-n66 Options| sourcetype=syslog Options| source=/var/log/local4 Options
3 5/9/13
3:19:21.000 PM
May 9 15:19:21 chdm-n01 duologger.pl[21842]: xid=1368127161 nfs_write=1.15 load_long=10.22 packets_out=1497.46 watts=96 virtual_free=35183831837696
host=chdm-n01 Options| sourcetype=syslog Options| source=/var/log/local4 Options
4 5/9/13
3:19:21.000 PM
May 9 15:19:21 core-n13 dlogger.pl[29050]: xid=1368127161 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.92.51 cpumodel=intel-xeon-e5420 num_proc=8
host=core-n13.dscr.duke.local Options| sourcetype=local-too_small Options| source=/var/log/local4 Options
5 5/9/13
3:19:19.000 PM
May 9 15:19:19 sysbio-n05 duologger.pl[4682]: xid=1368127158 nfs_write=0.2 load_long=1.79 packets_out=14.45 watts=180 virtual_free=35184024566784
host=sysbio-n05 Options| sourcetype=syslog Options| source=/var/log/local4 Options
6 5/9/13
3:19:19.000 PM
May 9 15:19:19 igspnih-n37 dlogger.pl[24071]: xid=1368127159 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.68.37 cpumodel=intel-xeon-x5550 num_proc=16
I'm guessing the CPU info is per host. You could do
... | eventstats last(cpumodel) as cpumodel by host | ...
This will make the cpumodel field available in all events for that host.
Any ideas if eventstats would be faster/slower than a lookup table?
I.e. I created a lookup table using another search (cpumodel | stats first(cpumodel) as cpumodel by host) | outputlookup ...) then I can use that lookup in the faster/watts search.
I would assume that using lookup would imply some caching of the values, where eventstats may involve repeated searching. Any ideas?
I'm guessing the CPU info is per host. You could do
... | eventstats last(cpumodel) as cpumodel by host | ...
This will make the cpumodel field available in all events for that host.
Ahh ... I was trying streamstats but couldn't get it to work out right.
That seems to do the trick -- Thanks!