Hi all, can you please help me
I am calculating Shannon Entropy values for domains from single index and have two questions.
1) Below SPL works well but calculates Shannons Entropy only for the first 100 domain entries. Is there way to mitigate that or its Splunk limitation
2) Is there more elegant way to use mvexpand in order that I dont have to calculate entropy twice to get results since `ut_shannon(domain)` result output looks like attached in picture.
Hope this makes sense.
SPL:
index="index1" sourcetype=sourcetype1 earliest=-24h
| fields Domain | stats values(Domain) as domain | `ut_shannon(domain)` | fields domain | mvexpand domain | rename domain as col1
| appendcols [search
index="index_sdas" sourcetype=ST_SDMP_SDAS earliest=-24h
| fields Domain | stats values(Domain) as domain | `ut_shannon(domain)` | fields ut_shannon | mvexpand ut_shannon | rename ut_shannon as col2]
| where col2 > 4
| table col2 col1
| rename col2 as ShannonEntropy, col1 as Domain
| eval ShannonEntropy = substr(ShannonEntropy,1,7)
Thanks