About yuanliu

yuanliu · ‎10-07-2015

In my case, the macro is already shared in "app".

yuanliu · ‎09-24-2015

@somesoni2 do you happen to know if in some conditions $click.value2$ won't work in "advanced XML"? Or is this caused by some server-side configuration glitch? After using $click.value2$ in simple XML on my desktop, I had to work with "advanced XML" in "real server". By then, I could only use <param>row<\/param> . If I attempt any other value, any click results in null for all variables.

yuanliu · ‎09-24-2015

except for "Random at end" part values(ID) reveals field names "Pattern" and "ID" among values of ID in "Random at end" group. Unsure what causes this weird outcome. At least the "real" values are correct.

yuanliu · ‎09-23-2015

Good move, @rich7177. With the four IDs used in the example chart, I get Pattern Count Flat at beginning 2 Random at beginning 1 Random at end 5 Zero at beginning 1 Zero at end 1 So except for "Random at end" part, it's all right. I'll sleep on why the same field name passes through, and worry about how to dedupe the outputs into sequences tomorrow.

yuanliu · ‎09-23-2015

If you have the regex, that should be all you need. All I'm suggesting is to extract that string and group accordingly. I don't get how D is used in the above, but I can think of another workaround: Just get rid of all numerals. Like this? index="prop_data" uri=*/property/*/* | eval uri=replace(uri,".+/property/","") | eval uri=replace(uri,"/\d+(\.json$|/)","") | stats avg(execution_time) by uri

yuanliu · ‎09-23-2015

Alternatively, you simply | sort monthNum (without -). That'll sort in ascending order.

yuanliu · ‎09-23-2015

Something like index="prop_data" uri=*/property/*/* | rex field=uri mode=sed "s=(/[^\/]+){2}.+?([^\d/]+).*=\2=" | stats avg(execution_time) by uri

yuanliu · ‎09-23-2015

This is a continuation of How to recognize a flat pattern in a given time period which @lguinn solved with a combination of appendpipe , head , and untable . It concerns three patterns in two distinct time periods. Now I realize that my | timechart count by ID contains three distinct time periods, resulting in more possible patterns. In the graph, four different patterns are observable: Flat, nonzero at beginning, then fluctuate all the way to end. Flat, zero at beginning, then fluctuate all the way to end. Fluctuate from beginning all the way to end. Flat, nonzero at beginning, fluctuate in the middle, then flat, zero at end. Though not in my case, one could easily extend this to several more "flat vs non-flat, zero vs nonzero" combinations. Using @lguinn's method, I can distinguish patterns at beginning by mysearch | timechart count by ID | appendpipe [ head 24 | untable _time ID count | stats stdev(count) as sdev max(count) as max by ID | eval headpattern=case(max==0,"Zero at beginning", max>0 and sdev < .25,"Flat at beginning", 1==1,"Random") | fields ID headpattern ] | stats dc(ID) as Count by headpattern I can also distinguish patterns at end by mysearch | timechart count by ID | appendpipe [ tail 24 | untable _time ID count | stats stdev(count) as sdev max(count) as max by ID | eval tailpattern=case(max==0,"Zero at end", max>0 and sdev < .25,"Flat at end", 1==1,"Random") | fields ID tailpattern sdev max ] | stats dc(ID) as Count by tailpattern However, if I try to combine the two in order to do | stats dc(ID) as Count by headpattern tailpattern , the magic disappears. Here is what I have tried: mysearch | timechart count by ID | appendpipe [ head 24 | untable _time ID count | stats stdev(count) as sdev max(count) as max by ID | eval headpattern=case(max==0,"Zero at beginning", max>0 and sdev < .25,"Flat at beginning", 1==1,"Random") | fields ID headpattern ] | appendpipe [ tail 24 | untable _time ID count | stats stdev(count) as sdev max(count) as max by ID | eval tailpattern=case(max==0,"Zero at end", max>0 and sdev < .25,"Flat at end", 1==1,"Random") | fields ID tailpattern sdev max ] | stats dc(ID) as Count by headpattern tailpattern No result comes out. How can I detect patterns in both time regions?

yuanliu · ‎09-23-2015

Thanks, @lguinn. untable is such a handy command! I had previously asked about filling leading zeros, and got a slim but still lengthy method. (My memory lapsed when I said straight fillnull had worked. It hadn't.) Will test in other use cases. Note after untable , head will only return the number of events as in total, and not on a per ID basis. This is undesired. (For one, there could be more than 11 IDs.) So untable should be performed after head inside appendpipe . With this adjustment, and adding max() to criteria, I can use the following to group my IDs: yoursearchhere | timechart count by ID | appendpipe [ head 11 | untable _time ID count | stats stdev(count) as sdev max(count) as max by ID | eval pattern=case(max==0,"Zero at beginning", max>0 and sdev < .25,"Flat at beginning", 1==1,"No head pattern") | fields ID pattern ] | stats dc(ID) as Count by pattern Now, there is a tail pattern in my search, whereby some IDs disappears in the final time periods. When I tried to use the same untable technique, using tail in place of head , I got no IDs in. I'll submit as a new question for that one.

yuanliu · ‎09-23-2015

Add a dc(host) to the search, then filter off that key. index="atg" sessionId="*mob" host="*" | stats values(host) as hosts, dc(host) as hostcount, values(source) as sources by sessionId | where hostcount > 1

yuanliu · ‎09-15-2015

"head" and "appendpipe" (and first()) are what I missed. Thanks! (Now I want even more commands to zoom in any given internal:-) I just realize that "count by _time ID" does not give out 0 for missing values at the two ends. (Strangely, timechart always does.) I even tried fillnull to no avail. (I know this was encountered in another question, but fillnull seemed to have solved the problem.) Ideas?

yuanliu · ‎09-14-2015

I realize that the original question miss this info: The illustrated time pattern is produced by | timechart count by ID Some IDs fall into 1, some fall into 2, some fall into 3.

yuanliu · ‎09-14-2015

Getting stdev is easy. The problem is to search based on 0-stdev in a sub period of the total search, because it is not 0 in the entire search period (in which case I can use an eventstat to identify them).

yuanliu · ‎09-14-2015

Thanks for the answer. I suspected that special characters in namespace could be a hazard. Then I was encouraged by many examples. (Yes, field names, too). I can understand that allowing dash in field names has practical advantages. But why allow them in strictly user-generated objects such as macro names? If the rulebook says yes, then some rule engines allow it and some deny it, that's a bug. As to argument, the macro is tested with no problem. Can't say that I have seen saved searches with macros with argument. But again, if that is not to be allowed, the error message should be explicit. At the very minimum, this should be documented somewhere.

yuanliu · ‎09-14-2015

I have a search that returns a large number of series of data to be displayed/analyzed easily. These series show three distinct patterns: Flat at beginning, rugged after some time. Irregular throughout. Zero (flat) at beginning, rugged after some time. I want to then search according to each pattern. This falls into pattern recognition, but for my purposes, a simple method to identify the flat beginning is good enough. In other words, I only need to "search those with flat beginning greater than 11", "search those with flat beginning of 0", and "search those that are neither." Is there a simple method to do this?

yuanliu · ‎09-10-2015

When I try to use a macro in place of a group of filters in a saved search, Splunk gives me "Encountered the following error while trying to update: In handler 'savedsearch': `macro-name`," where macro-name is a string with a literal dash ( - ). I am nearly certain that I've seen saved searches containing macros. I first tried to save from "Edit -> Open in search -> Save". There, the "full" version and the version with macro are tested to have the correct syntax as well as desired result. After getting the error, I went directly in "Settings -> ..." to edit. But upon "Save", it gives the same error. In addition to having a literal dash in macro name, another possible singularity is the use of an argument (as required by the macro).

yuanliu · ‎01-27-2015

We have the same situation. Power user role is definitely preferred.

yuanliu · ‎01-27-2015

@somesoni2: Some nuanced questions. In mvrange() , what is the significance of JobRunTime + 1? If I run this over jobs that connect end to tail, i.e., when one job finishes the next one starts, it seems that JobRunTime - 1 would eliminate artificial overlaps. (I know that boundary conditions are prior knowledge and not a logical conclusion, so (0, JobRunTime) or (0, JobRunTime-1) will depend on use case. Just want to know if JobRunTime+1 has a special meaning.) To follow on mvrange() | mvexpand , it appears to me that (1,range) should work as well as (0,range), because event at _time + 0 should already have existed as the original event. Does this sound right? How does mvrange determine increment when none is given? Direct test using my data seems to show that it takes 1 minute increment. The first stats uses sum() as output, whereas the subsequent timechart uses max() . Any particular consideration as to the use of sum() as opposed to using max() in both places? (Particularities in my use case not described in this question, namely that my JobName is not always unique, sum() offer some limited advantages.)

yuanliu · ‎01-27-2015

Just confirmed that it is not the dataset difference, but something wrong with my desktop/experimental Splunk 6.1.4. I run your solution over limited real data on our production server (6.1.2), and the output looks normal and plausible. No horn shape comes out. I have yet to validate output manually, but I'm now more troubled by possible setup errors in my experimental Splunk.

yuanliu · ‎01-27-2015

When I compare what I retrieve from my sample data that give me a "horn shape" and the data posted in this question, they are not different. So it must be something I didn't set up correctly in Splunk. _time JobName JobRunTime MemberCount 2014-08-05 10:05:00 76363659 179.75 380458 2014-08-05 06:05:00 76362122 114.75 380458 2014-08-05 02:05:00 76360937 207.75 380458 2014-08-04 22:05:00 76359961 201.75 380458 2014-08-04 18:05:00 76358947 206.75 380458

yuanliu · ‎01-27-2015

Excerllent! Because the ability to single out top contributing jobs in a big peak is what I'm after, I need to do "by JobName". But this is straightforward. my base search | table _time JobName JobRunTime MemberCount | eval inc=mvrange(0, JobRunTime+1) | mvexpand inc | eval _time=_time + inc*60 | stats sum(MemberCount) as MemberCount by _time JobName | timechart span=1h max(MemberCount) as ConcurrentMembers by JobName While I continue to digest the method and fine tune with conditions in my data and limitations of Splunk's graphics, this really eased my immediate pain. (I have been trying to do this for months if not years.)

yuanliu · ‎01-27-2015

I mean the graph you obtained using the sample data in the question is perfect. But I cannot get the same result on my real(ish) data; member counts simply add up and up, so the total becomes a monotonic increase. Something I haven't understood about the use of <> and so on, I guess. Using 4 jobs of same member count, each lasting close to 4 hours consecutively, I expect a flat stripe with different colour bands. Instead, the bands just add up one after another to form a horn-like shape. (I cannot use graph.)

yuanliu · ‎01-27-2015

This is very helpful. If I directly apply this, it only stacks count up, never takes away after JobRunTime. Why so? My data have a lot more jobs, but I have set limit=0 in timechart already.

yuanliu · ‎01-26-2015

In a way this is similar to the empty time bucket question (http://answers.splunk.com/answers/149425/how-to-produce-empty-time-buckets.html). If, instead of filling "empty" time buckets with 0, we fill them with MemberCount of respective events, the job is done. In other words, this problem has multiple start and end times to be handled. If I can bucket time within each of these event intervals, there maybe a way to get answer.

yuanliu · ‎01-26-2015

Say, I have a series of jobs involving a certain number of members, _time MemberCount JobRunTime (min) JobName 01:00:00 100 15 Job1 01:05:00 200 30 Job2 01:15:00 300 50 Job3 01:30:00 80 10 Job4 I want to show that during the first 5 minutes, total number of members is 100, between 5 and 15 minutes, total is 300 (100+200), between 15 and 30 minutes, total is 500 (300 + 300 - 100), between 30 and 35 minutes, total is 580 (500 + 80), between 35 and 40 minutes, total is 380 (580 - 200), between 40 and 75 minutes, total is 300 (380 - 80), and so on. So this is like the task of calculating concurrency, but instead of mere concurrency of events, I want concurrent total of a field value. The closest I have got is [ original search] | appendpipe [ eval _time=_time + JobRunTime*60 ] | timechart max(MemberCount) by JobName This will give me an "ending" event for each job start time, so I can connect the two dots as a straight line, and see that it overlaps with some other lines on time axis. What I want is a column chart (or area chart as resolution increases) that stacks Job1's MemberCount on top of Job2's when it starts, and so on. How do I do that?

Posts	2668
Solutions	412
Karma Given	220
Karma Received	910
Member Since	‎11-12-2013

Online Status	Offline
Date Last Visited	yesterday

Why does Dashboard Studio grey out "Open in Search...

Why does Dashboard Classic not return result even ...

How to fix BTree unexpected offset 0 while on orde...

How to prevent Splunk on MacOS from "freezing"

How to fix wandering trellis order?

How to force chart over _time to show trailing zer...

How to fix CSV ingestion random cutoffs?

How to set "abnormal" tallies to null after timech...

How to insert hyperlink in Dashboard Studio?

Why the error "The lookup could not be loaded from...

Re: Why I cannot save a search containing a macro?

Re: Dynamic Drilldowns - pass token over and popul...

Re: How to recognize flat patterns in separate tim...

Re: How to recognize flat patterns in separate tim...

Re: Grouping by String and Sorting by Average

Re: How to chart months on the X-axis in chronolog...

Re: Grouping by String and Sorting by Average

How to recognize flat patterns in separate time pe...

Re: How to recognize a flat pattern in a given tim...

Re: How to filter my search to only list values fo...

Re: How to recognize a flat pattern in a given tim...

Re: How to recognize a flat pattern in a given tim...

Re: How to recognize a flat pattern in a given tim...

Re: Why I cannot save a search containing a macro?

How to recognize a flat pattern in a given time pe...

Why I cannot save a search containing a macro?

Re: How to setup R Project User Permissions for Sc...

Re: How to compute concurrent members in events?

Re: How to compute concurrent members in events?

Re: How to compute concurrent members in events?

Re: How to compute concurrent members in events?

Re: How to compute concurrent members in events?

Re: How to compute concurrent members in events?

Re: How to compute concurrent members in events?

How to compute concurrent members in events?

Are you a member of the Splunk Community?