Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

filldown by clause?

p_splunk
Engager
‎11-14-2012 03:47 AM

i have events for player accounts, which have player-levels, and have additional events for these accounts, which dont have the field player_level, looks e.g like this

GENERAL-EVENT [ account-name=xxx account-level=1]

GENERAL-EVENT [ account-name=xxx account-level=2]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=3]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=4]

and i want to give the SPECIAL-EVENTS the field account-level at which this special-thing has "happened".

so i found
| filldown account-level


which works well as long i do a search only over one account-name, but when i want to do searches over all accounts there is nothing like

| filldown account-level by account-name

is there any work-around?????

i'm using 4.3.3


edit: i tried variants with streamstats, but somehow when i use it for a bigger timeframe with many data, it dowsnt work the right way, cuz at some account-levels the level-sum contains 0 special-events, but where i know, that there are some, when i use the search for a specific account.

Tags (2)
0 Karma
Reply

p_splunk
Engager
‎11-15-2012 02:34 AM

again: any of u have another hint what can be the reason?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-14-2012 04:46 AM

Streamstats can do that:

... | reverse | streamstats last(account-level) as account-level by account-name | reverse | ...

This would assign 2 to the first special event and 3 to the second and third special event. Without the reversing it would assign 3 to the first special event and 4 to the second and third special event.

Maybe there's a more efficient way than my crude double-reverse, but off the top of my head that's the easiest way of making streamstats work in reverse.

Reply

p_splunk
Engager
‎11-14-2012 07:17 AM

yes i know this usage (im actually often using | sort 0 +_time ... wonder which one is the "faster")

but the problem is somehow that with big data something stops working, i could imagine of something like maxout or smth, but i cant find any error message in the inspection (any of u have another hint what can be the reason?).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...