I have two sets of data in splunk -- every 10 minutes we get a host and watts measurement; every hour we get a host and cpu-model measurement (actually a constant, but we repeat it every hour).
How can I get the different data rates to match? i.e. can I add events that copy the slow/cpumodel data to a 10-min frequency; or can I do a subsearch for each fast/watts event, looking up the last slow/cpumodel event?
Not sure if this will render properly, but here's a cut-and-paste of the data from a simple "watts OR cpumodel" search:
May 9 15:19:26 igspncbc-n16 duologger.pl: xid=1368127165 nfswrite=0.52 loadlong=4.99 packetsout=2626.34 watts=236 virtualfree=35184026606592
host=igspncbc-n16 Options| sourcetype=syslog Options| source=/var/log/local4 Options
May 9 15:19:25 igspnih-n66 duologger.pl: xid=1368127164 nfswrite=651.92 loadlong=3.92 packetsout=32244.3 watts=224 virtualfree=35184026606592
host=igspnih-n66 Options| sourcetype=syslog Options| source=/var/log/local4 Options
May 9 15:19:21 chdm-n01 duologger.pl: xid=1368127161 nfswrite=1.15 loadlong=10.22 packetsout=1497.46 watts=96 virtualfree=35183831837696
host=chdm-n01 Options| sourcetype=syslog Options| source=/var/log/local4 Options
May 9 15:19:21 core-n13 dlogger.pl: xid=1368127161 uname=2.6.32-279.el6.x8664 opsys=scientific-linux-release-6.3-carbon ip=10.184.92.51 cpumodel=intel-xeon-e5420 numproc=8
host=core-n13.dscr.duke.local Options| sourcetype=local-toosmall Options| source=/var/log/local4 Options
May 9 15:19:19 sysbio-n05 duologger.pl: xid=1368127158 nfswrite=0.2 loadlong=1.79 packetsout=14.45 watts=180 virtualfree=35184024566784
host=sysbio-n05 Options| sourcetype=syslog Options| source=/var/log/local4 Options
May 9 15:19:19 igspnih-n37 dlogger.pl: xid=1368127159 uname=2.6.32-279.el6.x8664 opsys=scientific-linux-release-6.3-carbon ip=10.184.68.37 cpumodel=intel-xeon-x5550 num_proc=16
I'm guessing the CPU info is per host. You could do
... | eventstats last(cpumodel) as cpumodel by host | ...
This will make the cpumodel field available in all events for that host.
Ahh ... I was trying streamstats but couldn't get it to work out right.
That seems to do the trick -- Thanks!
Any ideas if eventstats would be faster/slower than a lookup table?
I.e. I created a lookup table using another search (cpumodel | stats first(cpumodel) as cpumodel by host) | outputlookup ...) then I can use that lookup in the faster/watts search.
I would assume that using lookup would imply some caching of the values, where eventstats may involve repeated searching. Any ideas?