Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filldown by clause?

p_splunk
Engager
‎11-14-2012 03:47 AM

i have events for player accounts, which have player-levels, and have additional events for these accounts, which dont have the field player_level, looks e.g like this

GENERAL-EVENT [ account-name=xxx account-level=1]

GENERAL-EVENT [ account-name=xxx account-level=2]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=3]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=4]

and i want to give the SPECIAL-EVENTS the field account-level at which this special-thing has "happened".

so i found
| filldown account-level


which works well as long i do a search only over one account-name, but when i want to do searches over all accounts there is nothing like

| filldown account-level by account-name

is there any work-around?????

i'm using 4.3.3


edit: i tried variants with streamstats, but somehow when i use it for a bigger timeframe with many data, it dowsnt work the right way, cuz at some account-levels the level-sum contains 0 special-events, but where i know, that there are some, when i use the search for a specific account.

Tags (2)
0 Karma
Reply

p_splunk
Engager
‎11-15-2012 02:34 AM

again: any of u have another hint what can be the reason?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-14-2012 04:46 AM

Streamstats can do that:

... | reverse | streamstats last(account-level) as account-level by account-name | reverse | ...

This would assign 2 to the first special event and 3 to the second and third special event. Without the reversing it would assign 3 to the first special event and 4 to the second and third special event.

Maybe there's a more efficient way than my crude double-reverse, but off the top of my head that's the easiest way of making streamstats work in reverse.

Reply

p_splunk
Engager
‎11-14-2012 07:17 AM

yes i know this usage (im actually often using | sort 0 +_time ... wonder which one is the "faster")

but the problem is somehow that with big data something stops working, i could imagine of something like maxout or smth, but i cant find any error message in the inspection (any of u have another hint what can be the reason?).

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...