Splunk Search

filldown by clause?

p_splunk
Engager

i have events for player accounts, which have player-levels, and have additional events for these accounts, which dont have the field player_level, looks e.g like this

GENERAL-EVENT [ account-name=xxx account-level=1]

GENERAL-EVENT [ account-name=xxx account-level=2]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=3]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=4]

and i want to give the SPECIAL-EVENTS the field account-level at which this special-thing has "happened".

so i found
| filldown account-level


which works well as long i do a search only over one account-name, but when i want to do searches over all accounts there is nothing like

| filldown account-level by account-name

is there any work-around?????

i'm using 4.3.3


edit: i tried variants with streamstats, but somehow when i use it for a bigger timeframe with many data, it dowsnt work the right way, cuz at some account-levels the level-sum contains 0 special-events, but where i know, that there are some, when i use the search for a specific account.

Tags (2)
0 Karma

p_splunk
Engager

again: any of u have another hint what can be the reason?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Streamstats can do that:

... | reverse | streamstats last(account-level) as account-level by account-name | reverse | ...

This would assign 2 to the first special event and 3 to the second and third special event. Without the reversing it would assign 3 to the first special event and 4 to the second and third special event.

Maybe there's a more efficient way than my crude double-reverse, but off the top of my head that's the easiest way of making streamstats work in reverse.

p_splunk
Engager

yes i know this usage (im actually often using | sort 0 +_time ... wonder which one is the "faster")

but the problem is somehow that with big data something stops working, i could imagine of something like maxout or smth, but i cant find any error message in the inspection (any of u have another hint what can be the reason?).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...