Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Should I use Lookup or mvexpand in the following search?

tb5821
Communicator
‎12-03-2018 12:18 PM

I have a search that returns a list of namespace values.

I want to take each one of those namespace values and run streamstats on it by doing a ...|search namespace=<namespace> | streamstats...

I tried doing a by namespace in my streamstats, but for some reason, it doesn't work and the only way it seems to work is with the pre-search by a single namespace ahead of time...

How do I accomplish this?

current search

source="/var/log/lag/stats.txt" d=* 
| eval namespace=trim(replace(namespace,"sample-text.",""))
| eval Processed_time=_time
| search namespace=HeartBeat
| streamstats current=false window=500 last(count) as prev_count earliest(Processed_time) as time_of_last_change by namespace 
| where prev_count != count
| eval actualchange=prev_count-count
| streamstats current=false window=2 range(Processed_time) AS diffoflastchange by namespace
| eval diffoflastchange=round(diffoflastchange)
| eval changeformatted=tostring(diffoflastchange,"duration")
| stats range(diffoflastchange) as totalrange by namespace
| eval totalrangeformat=tostring(totalrange,"duration")

Sure thing! events are really super basic....

d=12/14/18 02:15:01 PM UTC namespace=Sample,count=5400315
d=12/14/18 02:18:01 PM UTC namespace=HeartBeat,count=5400610
d=12/14/18 02:21:01 PM UTC namespace=Sample,count=5400927
d=12/14/18 02:24:01 PM UTC namespace=HeartBeat,count=5400815

So I'd expect my output to be

HeartBeat Avg Update Span = Sample Avg
Update Span =

0 Karma
Reply

macadminrohit
Contributor
‎12-14-2018 07:59 AM

So you want something like this?

namespace avg(Count) last(Update _time) duration(between the same namespace events)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2018 02:08 PM

Please provide your current search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tb5821
Communicator
‎12-07-2018 08:42 AM

updated original question

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2018 03:19 AM

lookup and mvexpand are very different commands, ones not typically used interchangeably. To help with your search it's important to know what your end goal is. Don't tell us what commands you want to run, tell us in normal language what results you want. Then we'll try to help you get there.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tb5821
Communicator
‎12-13-2018 06:13 AM

what I want is by the field NAMESPACE to get the average timebetween updates for the last x days

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...