Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

map over makecontinuous not working ...

JeToJedno
Explorer
‎11-15-2017 07:37 AM

I'm trying to fill in the gaps in a set of data, where there are different gaps for each of the types.

I've tried:

... | appendpipe [ stats FIRST(device_id) AS device_id BY day, device_type | map maxsearches=20 search="where device_type=\"$device_type$\" | makecontinuous day span=1 | where ISNULL(device_type) | eval device_type=\"$device_type$\", device_id=\"$device_id$\" " ] ...

But I get no results from that. I've tried multiple variants of this, with & without quotes, with & without the wheres. All give me nothing ...
The makecontinuous on its own does create the missing entries, but without the relevant device_type values, and without multiple events (one for each missing type) on each day.

Any advice / comment / better way of doing this?

Thanks
David

0 Karma
Reply

cmerriman
Super Champion
‎11-16-2017 04:50 AM

are you using stats or chart before the appendpipe?
if you have duplicate day values, makecontinuous will not work.

can you try (edit chart syntax to fit your needs)

|chart count(device_id) as devices by day device_type
|makecontinuous day
|fillnull value=0
Reply

JeToJedno
Explorer
‎11-16-2017 05:28 AM

Thanks. I was aware of that deficiency in makecontinuous and trying to avoid it. I can make it work by adding multiple appendpipes with makecontinuous, one for each device_type, but that needs editing every time that list of device types changes. e.g.

| appendpipe [ where device_type=1 | makecontinuous day | where ISNULL(device_type) | eval device_type=1 ]
| appendpipe [ where device_type=2 | makecontinuous day | where ISNULL(device_type) | eval device_type=2 ]
elc ...
0 Karma
Reply

JeToJedno
Explorer
‎11-16-2017 02:13 AM

What I'm trying to do is fill in the gaps in the results of the previous search, which summarises log entries. On some days, for some device types, there are no entries so there are gaps ... and I'd like those filled in, for each device type.

0 Karma
Reply

DalJeanis
Legend
‎11-15-2017 01:44 PM

I'm not sure what you believe your code is supposed to do.

The first thing I would try is to put a pipe before stats.

The second thing would be to turn the search from the map search= into a valid search, by at the very least starting it with the keyword search.

Before I did any of that, though, I would describe here in plain English what you are trying to achieve and see whether or not the community is able to give you the desired syntax.

0 Karma
Reply

JeToJedno
Explorer
‎11-16-2017 02:22 AM

The code is intended to fill in gaps in the results from the previous search. That produces results by day and device_type, but not all days have results for all device types.
The gaps make some graphs and subsequent analyses perform strangely.

0 Karma
Reply

cmerriman
Super Champion
‎11-15-2017 12:57 PM

what is before the appendpipe?

0 Karma
Reply

JeToJedno
Explorer
‎11-16-2017 02:11 AM

a search that summarises log entries by day and device_type, giving active and concurrent active, along with concurrent registrations (credential validity is renewed daily and are valid 7 days from last use).

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...