Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filldown by clause?

p_splunk
Engager
‎11-14-2012 03:47 AM

i have events for player accounts, which have player-levels, and have additional events for these accounts, which dont have the field player_level, looks e.g like this

GENERAL-EVENT [ account-name=xxx account-level=1]

GENERAL-EVENT [ account-name=xxx account-level=2]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=3]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

SPECIAL-EVENT [ account-name=xxx other-field=xxx]

GENERAL-EVENT [ account-name=xxx account-level=4]

and i want to give the SPECIAL-EVENTS the field account-level at which this special-thing has "happened".

so i found
| filldown account-level


which works well as long i do a search only over one account-name, but when i want to do searches over all accounts there is nothing like

| filldown account-level by account-name

is there any work-around?????

i'm using 4.3.3


edit: i tried variants with streamstats, but somehow when i use it for a bigger timeframe with many data, it dowsnt work the right way, cuz at some account-levels the level-sum contains 0 special-events, but where i know, that there are some, when i use the search for a specific account.

Tags (2)
0 Karma
Reply

p_splunk
Engager
‎11-15-2012 02:34 AM

again: any of u have another hint what can be the reason?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-14-2012 04:46 AM

Streamstats can do that:

... | reverse | streamstats last(account-level) as account-level by account-name | reverse | ...

This would assign 2 to the first special event and 3 to the second and third special event. Without the reversing it would assign 3 to the first special event and 4 to the second and third special event.

Maybe there's a more efficient way than my crude double-reverse, but off the top of my head that's the easiest way of making streamstats work in reverse.

Reply

p_splunk
Engager
‎11-14-2012 07:17 AM

yes i know this usage (im actually often using | sort 0 +_time ... wonder which one is the "faster")

but the problem is somehow that with big data something stops working, i could imagine of something like maxout or smth, but i cant find any error message in the inspection (any of u have another hint what can be the reason?).

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...