#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

where's the right place to suggest improvements?

JeToJedno
Explorer

I have two frequent needs which are unnecessarily difficult to do in Splunk:

example 1:
... | appendpipe [ where type="A" | makecontinuous span=1m _time | where ISNULL(type) | eval type="A" ]
| appendpipe [ where type="B" | makecontinuous span=1m _time | where ISNULL(type) | eval type="B" ]
| appendpipe [ where type="C" | makecontinuous span=1m _time | where ISNULL(type) | eval type="C" ]
| appendpipe [ where type="D" | makecontinuous span=1m _time | where ISNULL(type) | eval type="D" ] ...

example 2:
... | appendpipe [ stats COUNT AS count_up BY _time, type ]
| appendpipe [ eval _time=_time+duration | stats COUNT AS count_down BY _time, host ]
| where ISNOTNULL(count_up) OR ISNOTNULL(count_down)
| stats SUM(count_up) AS count_up SUM(count_down) AS count_down BY _time, host
| eval concurrent_change=count_up-count_down
| streamstats global=false SUM(concurrent_change) AS concurrency BY host ...

(not perfect, but good enough)

Both makecontinuous and concurrency commands would be much improved (and the reports run faster) by the addition of a BY clause.

Where should I post this suggestion?

Tags (1)
0 Karma

lycollicott
Motivator

You need to open a support case for enhancement requests....

alt text

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...