Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ideas for reliably bracketing timerange around discrete 'snapshots'

sideview
SplunkTrust
SplunkTrust
‎07-13-2011 09:32 PM

Say that you have a huge volume of events, and they come in big batches. Each batch is a discrete unit, and mixing information from the most recent batch with the previous batch is unacceptable.

more givens:

  1. the events within a particular batch are spread out over a few minutes.
  2. we do have control over the data so we could write a particular event at the start and at the end of the batch if necessary. We could even create a start/end event that had a different source or sourcetype.

Given all this, Is there a good clean way to construct a custom search or a custom view that will be sure to operate only on the events of the most recent batch?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-14-2011 05:50 AM

Your best bet is to use the "head" command which can take a predicate instead of an absolute count.

For example, the following search only takes (all of) the events from the most recent second from index=_internal:

index=_internal | streamstats dc(_time) as dc_time | head dc_time==1

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-14-2011 05:50 AM

Your best bet is to use the "head" command which can take a predicate instead of an absolute count.

For example, the following search only takes (all of) the events from the most recent second from index=_internal:

index=_internal | streamstats dc(_time) as dc_time | head dc_time==1
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-15-2011 06:45 PM

This ability of head has been around since 4.1, I believe.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎07-14-2011 12:15 PM

transaction wont work here because the set of events needs to be sliced and diced up a number of ways by a lot of different 'stats foo(bar) by baz, bat' searches, and transaction is going to put me in multivalue hell.

0 Karma
Reply
Solved! Jump to solution

Brian_Osburn
Builder
‎07-14-2011 10:27 AM

Wouldn't this be a good use of a transaction command? especially if you've got a well defined start and stop?

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎07-14-2011 10:19 AM

The events here are not in a single second, but this offers a tool that seems to open up a number of other ideas. Is that ability of the head command new in 4.2? It seems like I could use eval and streamstats to keep track of when I see the 'start' event and 'end' event, and then use head to terminate once I get back to the correct head event. Is that what you would do?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...