Splunk Search

Data sampled at different rates .. "expand" one to fit the other?

jbp4444
Path Finder

I have two sets of data in splunk -- every 10 minutes we get a host and watts measurement; every hour we get a host and cpu-model measurement (actually a constant, but we repeat it every hour).

How can I get the different data rates to match? i.e. can I add events that copy the slow/cpumodel data to a 10-min frequency; or can I do a subsearch for each fast/watts event, looking up the last slow/cpumodel event?

Not sure if this will render properly, but here's a cut-and-paste of the data from a simple "watts OR cpumodel" search:

1 5/9/13
3:19:26.000 PM

May 9 15:19:26 igspncbc-n16 duologger.pl[4028]: xid=1368127165 nfs_write=0.52 load_long=4.99 packets_out=2626.34 watts=236 virtual_free=35184026606592
host=igspncbc-n16 Options| sourcetype=syslog Options| source=/var/log/local4 Options
2 5/9/13
3:19:25.000 PM

May 9 15:19:25 igspnih-n66 duologger.pl[20519]: xid=1368127164 nfs_write=651.92 load_long=3.92 packets_out=32244.3 watts=224 virtual_free=35184026606592
host=igspnih-n66 Options| sourcetype=syslog Options| source=/var/log/local4 Options
3 5/9/13
3:19:21.000 PM

May 9 15:19:21 chdm-n01 duologger.pl[21842]: xid=1368127161 nfs_write=1.15 load_long=10.22 packets_out=1497.46 watts=96 virtual_free=35183831837696
host=chdm-n01 Options| sourcetype=syslog Options| source=/var/log/local4 Options
4 5/9/13
3:19:21.000 PM

May 9 15:19:21 core-n13 dlogger.pl[29050]: xid=1368127161 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.92.51 cpumodel=intel-xeon-e5420 num_proc=8
host=core-n13.dscr.duke.local Options| sourcetype=local-too_small Options| source=/var/log/local4 Options
5 5/9/13
3:19:19.000 PM

May 9 15:19:19 sysbio-n05 duologger.pl[4682]: xid=1368127158 nfs_write=0.2 load_long=1.79 packets_out=14.45 watts=180 virtual_free=35184024566784
host=sysbio-n05 Options| sourcetype=syslog Options| source=/var/log/local4 Options
6 5/9/13
3:19:19.000 PM

May 9 15:19:19 igspnih-n37 dlogger.pl[24071]: xid=1368127159 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.68.37 cpumodel=intel-xeon-x5550 num_proc=16

Tags (2)
0 Karma
1 Solution

Ayn
Legend

I'm guessing the CPU info is per host. You could do

... | eventstats last(cpumodel) as cpumodel by host | ...

This will make the cpumodel field available in all events for that host.

View solution in original post

0 Karma

jbp4444
Path Finder

Any ideas if eventstats would be faster/slower than a lookup table?

I.e. I created a lookup table using another search (cpumodel | stats first(cpumodel) as cpumodel by host) | outputlookup ...) then I can use that lookup in the faster/watts search.

I would assume that using lookup would imply some caching of the values, where eventstats may involve repeated searching. Any ideas?

0 Karma

Ayn
Legend

I'm guessing the CPU info is per host. You could do

... | eventstats last(cpumodel) as cpumodel by host | ...

This will make the cpumodel field available in all events for that host.

0 Karma

jbp4444
Path Finder

Ahh ... I was trying streamstats but couldn't get it to work out right.

That seems to do the trick -- Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...