Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filldown by clause?

p_splunk
Engager
‎11-14-2012 03:47 AM

i have events for player accounts, which have player-levels, and have additional events for these accounts, which dont have the field player_level, looks e.g like this

GENERAL-EVENT [ account-name=xxx account-level=1]

GENERAL-EVENT [ account-name=xxx account-level=2]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=3]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=4]

and i want to give the SPECIAL-EVENTS the field account-level at which this special-thing has "happened".

so i found
| filldown account-level


which works well as long i do a search only over one account-name, but when i want to do searches over all accounts there is nothing like

| filldown account-level by account-name

is there any work-around?????

i'm using 4.3.3


edit: i tried variants with streamstats, but somehow when i use it for a bigger timeframe with many data, it dowsnt work the right way, cuz at some account-levels the level-sum contains 0 special-events, but where i know, that there are some, when i use the search for a specific account.

Tags (2)
0 Karma
Reply

p_splunk
Engager
‎11-15-2012 02:34 AM

again: any of u have another hint what can be the reason?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-14-2012 04:46 AM

Streamstats can do that:

... | reverse | streamstats last(account-level) as account-level by account-name | reverse | ...

This would assign 2 to the first special event and 3 to the second and third special event. Without the reversing it would assign 3 to the first special event and 4 to the second and third special event.

Maybe there's a more efficient way than my crude double-reverse, but off the top of my head that's the easiest way of making streamstats work in reverse.

Reply

p_splunk
Engager
‎11-14-2012 07:17 AM

yes i know this usage (im actually often using | sort 0 +_time ... wonder which one is the "faster")

but the problem is somehow that with big data something stops working, i could imagine of something like maxout or smth, but i cant find any error message in the inspection (any of u have another hint what can be the reason?).

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...