Archive
Highlighted

where's the right place to suggest improvements?

Explorer

I have two frequent needs which are unnecessarily difficult to do in Splunk:

example 1:
... | appendpipe [ where type="A" | makecontinuous span=1m _time | where ISNULL(type) | eval type="A" ]
| appendpipe [ where type="B" | makecontinuous span=1m _time | where ISNULL(type) | eval type="B" ]
| appendpipe [ where type="C" | makecontinuous span=1m _time | where ISNULL(type) | eval type="C" ]
| appendpipe [ where type="D" | makecontinuous span=1m _time | where ISNULL(type) | eval type="D" ] ...

example 2:
... | appendpipe [ stats COUNT AS countup BY _time, type ]
| appendpipe [ eval _time=
time+duration | stats COUNT AS countdown BY _time, host ]
| where ISNOTNULL(count
up) OR ISNOTNULL(countdown)
| stats SUM(count
up) AS countup SUM(countdown) AS countdown BY _time, host
| eval concurrent
change=countup-countdown
| streamstats global=false SUM(concurrent_change) AS concurrency BY host ...

(not perfect, but good enough)

Both makecontinuous and concurrency commands would be much improved (and the reports run faster) by the addition of a BY clause.

Where should I post this suggestion?

Tags (1)
0 Karma
Highlighted

Re: where's the right place to suggest improvements?

Motivator

You need to open a support case for enhancement requests....

alt text

0 Karma