Archive
Highlighted

Data sampled at different rates .. "expand" one to fit the other?

Path Finder

I have two sets of data in splunk -- every 10 minutes we get a host and watts measurement; every hour we get a host and cpu-model measurement (actually a constant, but we repeat it every hour).

How can I get the different data rates to match? i.e. can I add events that copy the slow/cpumodel data to a 10-min frequency; or can I do a subsearch for each fast/watts event, looking up the last slow/cpumodel event?

Not sure if this will render properly, but here's a cut-and-paste of the data from a simple "watts OR cpumodel" search:

1 5/9/13
3:19:26.000 PM

May 9 15:19:26 igspncbc-n16 duologger.pl[4028]: xid=1368127165 nfswrite=0.52 loadlong=4.99 packetsout=2626.34 watts=236 virtualfree=35184026606592
host=igspncbc-n16 Options| sourcetype=syslog Options| source=/var/log/local4 Options
2 5/9/13
3:19:25.000 PM

May 9 15:19:25 igspnih-n66 duologger.pl[20519]: xid=1368127164 nfswrite=651.92 loadlong=3.92 packetsout=32244.3 watts=224 virtualfree=35184026606592
host=igspnih-n66 Options| sourcetype=syslog Options| source=/var/log/local4 Options
3 5/9/13
3:19:21.000 PM

May 9 15:19:21 chdm-n01 duologger.pl[21842]: xid=1368127161 nfswrite=1.15 loadlong=10.22 packetsout=1497.46 watts=96 virtualfree=35183831837696
host=chdm-n01 Options| sourcetype=syslog Options| source=/var/log/local4 Options
4 5/9/13
3:19:21.000 PM

May 9 15:19:21 core-n13 dlogger.pl[29050]: xid=1368127161 uname=2.6.32-279.el6.x8664 opsys=scientific-linux-release-6.3-carbon ip=10.184.92.51 cpumodel=intel-xeon-e5420 numproc=8
host=core-n13.dscr.duke.local Options| sourcetype=local-toosmall Options| source=/var/log/local4 Options
5 5/9/13
3:19:19.000 PM

May 9 15:19:19 sysbio-n05 duologger.pl[4682]: xid=1368127158 nfs
write=0.2 loadlong=1.79 packetsout=14.45 watts=180 virtualfree=35184024566784
host=sysbio-n05 Options| sourcetype=syslog Options| source=/var/log/local4 Options
6 5/9/13
3:19:19.000 PM

May 9 15:19:19 igspnih-n37 dlogger.pl[24071]: xid=1368127159 uname=2.6.32-279.el6.x86
64 opsys=scientific-linux-release-6.3-carbon ip=10.184.68.37 cpumodel=intel-xeon-x5550 num_proc=16

Tags (2)
0 Karma
Highlighted

Re: Data sampled at different rates .. "expand" one to fit the other?

Legend

I'm guessing the CPU info is per host. You could do

... | eventstats last(cpumodel) as cpumodel by host | ...

This will make the cpumodel field available in all events for that host.

View solution in original post

0 Karma
Highlighted

Re: Data sampled at different rates .. "expand" one to fit the other?

Path Finder

Ahh ... I was trying streamstats but couldn't get it to work out right.

That seems to do the trick -- Thanks!

0 Karma
Highlighted

Re: Data sampled at different rates .. "expand" one to fit the other?

Path Finder

Any ideas if eventstats would be faster/slower than a lookup table?

I.e. I created a lookup table using another search (cpumodel | stats first(cpumodel) as cpumodel by host) | outputlookup ...) then I can use that lookup in the faster/watts search.

I would assume that using lookup would imply some caching of the values, where eventstats may involve repeated searching. Any ideas?

0 Karma