Splunk Search

map over makecontinuous not working ...

JeToJedno
Explorer

I'm trying to fill in the gaps in a set of data, where there are different gaps for each of the types.

I've tried:

... | appendpipe [ stats FIRST(device_id) AS device_id BY day, device_type | map maxsearches=20 search="where device_type=\"$device_type$\" | makecontinuous day span=1 | where ISNULL(device_type) | eval device_type=\"$device_type$\", device_id=\"$device_id$\" " ] ...

But I get no results from that. I've tried multiple variants of this, with & without quotes, with & without the wheres. All give me nothing ...
The makecontinuous on its own does create the missing entries, but without the relevant device_type values, and without multiple events (one for each missing type) on each day.

Any advice / comment / better way of doing this?

Thanks
David

0 Karma

cmerriman
Super Champion

are you using stats or chart before the appendpipe?
if you have duplicate day values, makecontinuous will not work.

can you try (edit chart syntax to fit your needs)

|chart count(device_id) as devices by day device_type
|makecontinuous day
|fillnull value=0

JeToJedno
Explorer

Thanks. I was aware of that deficiency in makecontinuous and trying to avoid it. I can make it work by adding multiple appendpipes with makecontinuous, one for each device_type, but that needs editing every time that list of device types changes. e.g.

| appendpipe [ where device_type=1 | makecontinuous day | where ISNULL(device_type) | eval device_type=1 ]
| appendpipe [ where device_type=2 | makecontinuous day | where ISNULL(device_type) | eval device_type=2 ]
elc ...
0 Karma

JeToJedno
Explorer

What I'm trying to do is fill in the gaps in the results of the previous search, which summarises log entries. On some days, for some device types, there are no entries so there are gaps ... and I'd like those filled in, for each device type.

0 Karma

DalJeanis
Legend

I'm not sure what you believe your code is supposed to do.

The first thing I would try is to put a pipe before stats.

The second thing would be to turn the search from the map search= into a valid search, by at the very least starting it with the keyword search.

Before I did any of that, though, I would describe here in plain English what you are trying to achieve and see whether or not the community is able to give you the desired syntax.

0 Karma

JeToJedno
Explorer

The code is intended to fill in gaps in the results from the previous search. That produces results by day and device_type, but not all days have results for all device types.
The gaps make some graphs and subsequent analyses perform strangely.

0 Karma

cmerriman
Super Champion

what is before the appendpipe?

0 Karma

JeToJedno
Explorer

a search that summarises log entries by day and device_type, giving active and concurrent active, along with concurrent registrations (credential validity is renewed daily and are valid 7 days from last use).

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...