Splunk Search

Data sampled at different rates .. "expand" one to fit the other?

jbp4444
Path Finder

I have two sets of data in splunk -- every 10 minutes we get a host and watts measurement; every hour we get a host and cpu-model measurement (actually a constant, but we repeat it every hour).

How can I get the different data rates to match? i.e. can I add events that copy the slow/cpumodel data to a 10-min frequency; or can I do a subsearch for each fast/watts event, looking up the last slow/cpumodel event?

Not sure if this will render properly, but here's a cut-and-paste of the data from a simple "watts OR cpumodel" search:

1 5/9/13
3:19:26.000 PM

May 9 15:19:26 igspncbc-n16 duologger.pl[4028]: xid=1368127165 nfs_write=0.52 load_long=4.99 packets_out=2626.34 watts=236 virtual_free=35184026606592
host=igspncbc-n16 Options| sourcetype=syslog Options| source=/var/log/local4 Options
2 5/9/13
3:19:25.000 PM

May 9 15:19:25 igspnih-n66 duologger.pl[20519]: xid=1368127164 nfs_write=651.92 load_long=3.92 packets_out=32244.3 watts=224 virtual_free=35184026606592
host=igspnih-n66 Options| sourcetype=syslog Options| source=/var/log/local4 Options
3 5/9/13
3:19:21.000 PM

May 9 15:19:21 chdm-n01 duologger.pl[21842]: xid=1368127161 nfs_write=1.15 load_long=10.22 packets_out=1497.46 watts=96 virtual_free=35183831837696
host=chdm-n01 Options| sourcetype=syslog Options| source=/var/log/local4 Options
4 5/9/13
3:19:21.000 PM

May 9 15:19:21 core-n13 dlogger.pl[29050]: xid=1368127161 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.92.51 cpumodel=intel-xeon-e5420 num_proc=8
host=core-n13.dscr.duke.local Options| sourcetype=local-too_small Options| source=/var/log/local4 Options
5 5/9/13
3:19:19.000 PM

May 9 15:19:19 sysbio-n05 duologger.pl[4682]: xid=1368127158 nfs_write=0.2 load_long=1.79 packets_out=14.45 watts=180 virtual_free=35184024566784
host=sysbio-n05 Options| sourcetype=syslog Options| source=/var/log/local4 Options
6 5/9/13
3:19:19.000 PM

May 9 15:19:19 igspnih-n37 dlogger.pl[24071]: xid=1368127159 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.68.37 cpumodel=intel-xeon-x5550 num_proc=16

Tags (2)
0 Karma
1 Solution

Ayn
Legend

I'm guessing the CPU info is per host. You could do

... | eventstats last(cpumodel) as cpumodel by host | ...

This will make the cpumodel field available in all events for that host.

View solution in original post

0 Karma

jbp4444
Path Finder

Any ideas if eventstats would be faster/slower than a lookup table?

I.e. I created a lookup table using another search (cpumodel | stats first(cpumodel) as cpumodel by host) | outputlookup ...) then I can use that lookup in the faster/watts search.

I would assume that using lookup would imply some caching of the values, where eventstats may involve repeated searching. Any ideas?

0 Karma

Ayn
Legend

I'm guessing the CPU info is per host. You could do

... | eventstats last(cpumodel) as cpumodel by host | ...

This will make the cpumodel field available in all events for that host.

0 Karma

jbp4444
Path Finder

Ahh ... I was trying streamstats but couldn't get it to work out right.

That seems to do the trick -- Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...