Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About brunton2
brunton2
Path Finder
Member since:
01-06-2015
06-05-2020
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 8 |
| Member Since | 01-06-2015 |
Activity Feed
- Got Karma for Re: Splunk DB Connect - dbquery inline search and time filtering not working. 03-02-2021 02:20 PM
- Karma Re: Why does TimePicker have old/lag context data during change event? for martin_mueller. 06-05-2020 12:48 AM
- Karma Re: How to find latest events within multiple transactions? for woodcock. 06-05-2020 12:48 AM
- Got Karma for Why does TimePicker have old/lag context data during change event?. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk DB Connect - dbquery inline search and time filtering not working. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk DB Connect - dbquery inline search and time filtering not working. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk DB Connect - dbquery inline search and time filtering not working. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk DB Connect - dbquery inline search and time filtering not working. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk DB Connect - dbquery inline search and time filtering not working. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk DB Connect - dbquery inline search and time filtering not working. 06-05-2020 12:46 AM
- Posted Re: Splunk DB Connect - dbquery inline search and time filtering not working on Splunk Search. 04-08-2019 08:03 AM
- Posted Re: Splunk DB Connect - dbquery inline search and time filtering not working on Splunk Search. 06-19-2017 05:40 PM
- Posted Re: How to find latest events within multiple transactions? on Splunk Search. 03-16-2017 08:31 AM
- Posted Re: How to find latest events within multiple transactions? on Splunk Search. 03-16-2017 08:27 AM
- Posted Re: How to find latest events within multiple transactions? on Splunk Search. 03-15-2017 09:28 AM
- Posted How to find latest events within multiple transactions? on Splunk Search. 03-15-2017 09:03 AM
- Tagged How to find latest events within multiple transactions? on Splunk Search. 03-15-2017 09:03 AM
- Tagged How to find latest events within multiple transactions? on Splunk Search. 03-15-2017 09:03 AM
- Posted Re: How to use streamstats to evaluate and filter a row at a time? on Splunk Search. 11-29-2016 06:54 PM
- Posted Re: How to use streamstats to evaluate and filter a row at a time? on Splunk Search. 11-14-2016 12:02 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 |
04-08-2019
08:03 AM
1 Karma
Try the following (dbxquery doesn't automatically convert times):
| eval _time=strptime(timestamp_column,"%Y-%m-%d %H:%M:%S") | where _time>relative_time(now(),"-7d")
... View more
06-19-2017
05:40 PM
Unfortunately our client time and Splunk time is all within the same timezone so we haven't had to consider this problem. However, we have recently been assessing migrating to DBconnect v2 and have observed that timestamps don't convert natively so we ended up implementing a stored procedure to translate to back to unix epoch for use with Splunk. Not sure if you could use a similar technique to supply the client TZ and have the backend DB convert the timestamps accordingly? The following was our example for conversion that we wrap the timestamp selects with
create or replace function date_to_epoch(in_date in date) return number is
epoch number(38);
begin
select (in_date - to_date('1-1-1970 00:00:00','MM-DD-YYYY HH24:Mi:SS'))*24*3600 into epoch from dual;
return epoch;
exception when others then
null;
end;
... View more
03-16-2017
08:31 AM
Iguinn
This was close but I couldn't get the trans_sequence_number to expand with the motorinfo with this solution. Prior to expanding it was correctly set but after the mvexpand it somehow was lost and resulted in it being NULL for all rows. Thanks for the contribution though, it was largely the same as to above and I used bits of each of the proposed solutions to get to my end goal.
Thanks
... View more
03-16-2017
08:27 AM
Thanks woodcock!
Although this wasn't used verbatim to solve my problem (largely because there were data complexities that I omitted from my description) it was exactly what I needed to resolve my needs. The consolidation of a transaction into a single event was the key part I needed and from there I could manipulate my data as I needed it. From there I found out that rex would allow me to pull a mvlist of events (learn something new every day!) and from this ordered list I could then find the latest moves of each motor.
Thanks again
... View more
03-15-2017
09:28 AM
I have multiple transactions, each one consists of a pattern of events similar to the example. The number of 'motor' events in each transaction varies from a dozen to a couple of hundred.
Thanks
... View more
03-15-2017
09:03 AM
I have multiple transactions similar to the following:
<time> Event Start
<time> Motor 1, Steps 2345
<time> Motor 2, Steps 2232
<time> Motor 3, Steps 2235
<time> Motor 2, Steps 2532
<time> Motor 4, Steps 2342
<time> Motor 1, Steps 2642
<time> Event End
What I'd like as a result is to find the latest 'steps' for each distinct motor within each transaction. I've done numerous searches but drawn a blank on how to achieve it. Can anyone help suggest an approach?
Thanks
... View more
11-29-2016
06:54 PM
Yes and no unfortunately. Yes from the perspective that it did what I wanted. No from the perspective that the performance of mvexpand makes the solution unbearably slow in the large data set scenario I'm trying to solve.
What I'd really like to do is perform an mvfind with a numeric comparison against each element in the mvlist. Unfortunately the comparison needs to use the LAST_START and LAST_END variables which mvfind appears unable to support.
What I've resorted to doing is extracting each of the mvlist elements as eval variables and comparing against each in sequence. The performance of the query is orders of magnitude faster than the mvexpand approach but it makes the query horrific to look at!
Unless someone can suggest a method to either optimizing mvexpand over large data sets or a method to use mvfind with a variable in the comparison routine then I think I'm stuck with this approach
... View more
11-14-2016
12:02 PM
Thanks for this. While it didn't solve my problem exactly (as it only has a 1 element lookahead, before and after) it did put me on a better path. I've ended up with the following which does a window lookahead, before and after, to determine if there is are contiguous events. If there isn't (and it isn't the start or end event) it eliminates it.
| streamstats current=f window=30 values(LAST_START) as next_start | eval next_start = if(isnull(next_start),LAST_END,next_start) | reverse | streamstats current=f window=30 values(LAST_END) as prev_end | eval prev_end = if(isnull(prev_end),LAST_START,prev_end) | mvexpand next_start | eval delta1=next_start-LAST_END | mvexpand prev_end | eval delta2=LAST_START-prev_end| where coalesce(delta1,0)=0 AND coalesce(delta2,0)=0 | reverse
... View more
11-11-2016
05:07 PM
I'm looking for a way to filter search results based on calculating time deltas between 2 rows (goal is to extract contiguous events based on 0 or greater time delta from the end of one event to the start of the next). The problem is that I need to evaluate each row pair and filter in a single operation and then repeat for the entire data series. The only way I have been able to achieve this so far is to use searchstats, and filter out a row at time and rerun the streamstats until the result set no longer reduces. Is there a better way?
Example data set (in reverse chronological 'end time' order):
Event Start_Time End_Time Delta
Event_1 13:10:00 13:20:00 -
Event_2 13:07:00 13:15:00 -5:00
Event_3 13:06:00 13:14:00 -7:00
Event_4 13:00:00 13:10:00 -4:00
Event_5 12:50:00 13:00:00 0
Desired Output
Event Start_Time End_Time Delta
Event_1 13:10:00 13:20:00 -
Event_4 13:00:00 13:10:00 0
Event_5 12:50:00 13:00:00 0
Actual Output
Event Start_Time End_Time Delta
Event_1 13:10:00 13:20:00 -
Event_5 12:50:00 13:00:00 0
Original Query
<query> | streamstats current=f window=1 global=f last(Start_Time) as Next_Start | while (Next_Start - End_Time) >= 0
-- Next_Start is the 'Start_Time' from the first row, and End_Time is from the second row
Problem is that this filters out Event 4 because it evaluates the entire data set in one operation before evaluating the filter
Current Working (but inefficient) Query, and I don't really know how many times to call the filter (although strangely enough it doesn't seem to cause a significant time impact even with 30+ calls!)
<query> | streamstats current=f window=1 global=f last(Start_Time) as Next_Start | eval diff = Next_Start - End_Time | streamstats current=f window=1 global=f last(diff) as prev_diff | eval diff = if(diff<0 AND prev_diff<0,0,diff) | search diff >= 0
| streamstats current=f window=1 global=f last(Start_Time) as Next_Start | eval diff = Next_Start - End_Time | streamstats current=f window=1 global=f last(diff) as prev_diff | eval diff = if(diff<0 AND prev_diff<0,0,diff) | search diff >= 0
| streamstats current=f window=1 global=f last(Start_Time) as Next_Start | eval diff = Next_Start - End_Time | streamstats current=f window=1 global=f last(diff) as prev_diff | eval diff = if(diff<0 AND prev_diff<0,0,diff) | search diff >= 0
... <repeat until data set doesn't reduce any further>
-- Only consider the first two rows with a negative result. If there are contiguous rows with a negative result zero out all but the first and let the next searchstats call filter them one by one.
Any suggestions would be greatly appreciated. Thanks
... View more
04-16-2016
09:43 AM
6 Karma
Here is pretty seamless method to achieve the desired result, at least for my needs with an Oracle DB. I should add that this method differs from most of the other solutions by pre-filtering the query results using the database server rather than post-filtering the results in Splunk (which was my requirement due to the number of rows an unbounded time query would return)
Define the timepicker with an 'on change' eval to transform the selection into a converted start and end date/time string:
<input type="time" token="timerange">
<label>Date Range</label>
<default>
<earliest>-2d@d</earliest>
<latest>now</latest>
</default>
<change>
<eval token="form.et">strftime(relative_time(now(),'earliest'), "%F %T")</eval>
<eval token="form.lt">strftime(relative_time(now(),'latest'), "%F %T")</eval>
</change>
</input>
Then use the string tokens directly in the dbquery syntax:
.... AND (TIME_STAMP >= TO_DATE('$form.et$', 'YYYY-MM-DD HH24:MI:SS') AND TIME_STAMP <= TO_DATE('$form.lt$', 'YYYY-MM-DD HH24:MI:SS'))
I was trying to find a decent solution to this for months!
... View more
04-15-2016
07:11 PM
Tried that but it resulted in the tokens not updating at all. However it did trigger me to try the following which worked perfectly! Thanks so much for your quick and helpful reply, I've been bashing my head against a wall trying to get this working. I now can use this for transforming the timepicker selection for filter inputs to my dbquery (that I've also been trying to figure out for months)!
<change>
<eval token="et">strftime(relative_time(now(),'earliest'), "%m/%d/%Y %H:%M:%S")</eval>
<eval token="lt">strftime(relative_time(now(),'latest'), "%m/%d/%Y %H:%M:%S")</eval>
</change>
... View more
04-15-2016
04:57 PM
1 Karma
I'm trying to set readable tokens based on TimePicker entries but the token content retrieved and processed always seems to lag by one user input. Any suggestions/workarounds would be appreciated. Below is an example SimpleXML to reproduce the problem followed by example input/output:
<form autorun="true">
<fieldset>
<input type="time" token="timerange" searchWhenChanged="true">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
<change>
<eval token="et">strftime(relative_time(now(),'timerange.earliest'), "%m/%d/%Y %H:%M:%S")</eval>
<eval token="lt">strftime(relative_time(now(),'timerange.latest'), "%m/%d/%Y %H:%M:%S")</eval>
</change>
</input>
</fieldset>
<row>
<html>
<p>Earliest: <b>$et$</b></p>
<p>Latest: <b>$lt$</b></p>
</html>
</row>
</form>
Input 1:
7 Days Ago
Output 1: (Default is All Time)
Earliest: 12/31/1969 16:00:00
Latest: 04/15/2016 16:46:13
Input 2:
4 Hours Ago
Output 2: (Result of previous selection of 7 Days Ago, not 4 hours Ago)
Earliest: 04/08/2016 16:00:00
Latest: 04/15/2016 16:48:33
Input 3:
30 Days Ago
Output 3: (Result of previous selection of 4 Hours Ago, not 30 Days Ago
Earliest: 04/15/2016 12:50:00
Latest: 04/15/2016 16:50:15
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
