Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nmaiorana
nmaiorana
Explorer
Member since:
02-28-2013
04-23-2021
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 02-28-2013 |
Activity Feed
- Got Karma for Re: I'm trying to do a conditional min() function from a query. 06-05-2020 12:47 AM
- Got Karma for Re: What is meant to clean up dispatch?. 06-05-2020 12:46 AM
- Posted Re: Is there a way to enable event sampling in a search? on Splunk Search. 02-11-2020 06:12 AM
- Posted Re: How to add addcoltotals functionality to show average instead of the total? on Splunk Search. 01-29-2020 06:05 AM
- Posted Did the _time value change for bin or bucket? on Deployment Architecture. 07-14-2017 07:01 AM
- Tagged Did the _time value change for bin or bucket? on Deployment Architecture. 07-14-2017 07:01 AM
- Tagged Did the _time value change for bin or bucket? on Deployment Architecture. 07-14-2017 07:01 AM
- Tagged Did the _time value change for bin or bucket? on Deployment Architecture. 07-14-2017 07:01 AM
- Tagged Did the _time value change for bin or bucket? on Deployment Architecture. 07-14-2017 07:01 AM
- Tagged Did the _time value change for bin or bucket? on Deployment Architecture. 07-14-2017 07:01 AM
- Posted Re: Why is our dispatch directory getting full with strange CSV files? on Getting Data In. 09-15-2016 11:40 AM
- Posted Re: How to set the time events were indexed as the event timestamp, not the time the logs were written? on Getting Data In. 05-05-2016 12:21 PM
- Posted Re: How to set the time events were indexed as the event timestamp, not the time the logs were written? on Getting Data In. 05-04-2016 11:45 AM
- Posted How to set the time events were indexed as the event timestamp, not the time the logs were written? on Getting Data In. 05-04-2016 11:36 AM
- Tagged How to set the time events were indexed as the event timestamp, not the time the logs were written? on Getting Data In. 05-04-2016 11:36 AM
- Tagged How to set the time events were indexed as the event timestamp, not the time the logs were written? on Getting Data In. 05-04-2016 11:36 AM
- Tagged How to set the time events were indexed as the event timestamp, not the time the logs were written? on Getting Data In. 05-04-2016 11:36 AM
- Tagged How to set the time events were indexed as the event timestamp, not the time the logs were written? on Getting Data In. 05-04-2016 11:36 AM
- Posted Re: What is meant to clean up dispatch? on Splunk Search. 04-19-2016 05:58 AM
- Posted Re: Streamstats and resetting a running total on Splunk Search. 08-20-2015 06:36 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-11-2020
06:12 AM
Correct, this does not improve performance. Is Splunk planning on providing a true sampling function that is applied at the index level? With the amount of data being processed today, sampling is the only manageable way to produce metrics.
Thanks
... View more
01-29-2020
06:05 AM
It appears as though users would like this to be a function like addcoltotals. Is Splunk planning on adding this feature (and possibly other stats functions) for totals?
Thanks
... View more
07-14-2017
07:01 AM
When we started using Splunk a couple of years ago, we needed to calculate mean on various time windows (5, 20, 60) minutes.
The _time variable after the bucket (bin) operation would be the ending time of the time slot for each new row:
bucket times accordingly:
00:00:001 through 00:05:00 ---> bucket 00:05
00:05:001 through 00:10:00 ---> bucket 00:10
search .... | bin _time minspan=5m | ...
So 10:06, 10:07, 10:08 would all be in the 10:10 bucket. When I ran it today (6.5.2), The new _time value was for the previous time slot 10:05. This makes no sense to me. Why label events that occurred after time for that time? I experimented with hours and found the same thing. However when I upped it to days (span=1d), it used the correct current day.
Is there a way to tell it to bucket the times on the ending value instead of the starting value?
... View more
09-15-2016
11:40 AM
Explanation but no answer. What is the solution to this problem? Can we tell Splunk not to store the job?
... View more
05-05-2016
12:21 PM
That's it! Thank you.
... View more
05-04-2016
11:45 AM
I can't get to the link provided.
Thanks
... View more
05-04-2016
11:36 AM
I would like to read log data by the time the log was ingested, not the time the log was written. For example, give me logs ingested by Splunk in the last 30 seconds. This is almost like a real-time ingestion, except I'm not looking at the log entry time.
... View more
04-19-2016
05:58 AM
1 Karma
What is the root cause of the directory filling up? Going in once a week to clean it manually seems ridiculous to me.
... View more
08-20-2015
06:36 AM
I tried this, but the criteria I need to check on has not been established and the variable from streamstats (cumulativeAmount) which could be used to establish the criteria, does not appear to be available in the eval statement. It passes the isnull(cumulativeAmount) check every time.
... View more
08-18-2015
11:40 AM
The value CUSUM is used later (omitted for brevity) to determine if a function is out of control. Anything CUSUM > than H is out of control. When the value continues to increase and gets very large, even after the function gets back into control, the variation from the mean is too small to register. For this reason I need CUSUM = min(H, max(CUSUM, 0). However, since it's getting accumulated using the streamstats, there is no way to update that value to stay within the range.
Perhaps I just need to use a different method than streamstats to accumulate the ZBAR values.
... View more
08-18-2015
10:31 AM
This is what was suggested to me in the original answer. The problem is this way, CUSUM_SUM will go way outside the range of 0 to H. I'm starting to feel that there is no solution to this problem.
... View more
08-18-2015
06:58 AM
Thanks. I tried:
search blah | eval CUSUM = max(0.000000, CUSUM)| eval CUSUM = min(H, CUSUM) | eval ZBAR = AVGFREQ - (CONTROLMEAN + K ) | streamstats sum(ZBAR) as CUSUM | table blah blah blah
I also tried:
search blah | eval CUSUM = if(CUSUM < 0, 0, if(CUSUM > H, H, CUSUM)) | eval ZBAR = AVGFREQ - (CONTROLMEAN + K ) | streamstats sum(ZBAR) as CUSUM | table blah
It appears as though there are 2 variables with the name CUSUM. One is scoped to the streamstats level and the other is scoped to the event level. Just my guess.
... View more
08-17-2015
02:22 PM
Here is what I did:
| eval ZBAR = blah blah blah | streamstats sum(ZBAR) as CUSUM |
eval CUSUM = if(CUSUM < 0, 0, if(CUSUM > DECLIMIT, DECLIMIT, CUSUM))
CUSUM never got reset, in most cases it get getting more negative or positive.
... View more
08-17-2015
01:45 PM
Here is what I'm getting:
READING_DATETIME SENSOR FREQUENCY AVGFREQ K H ZBAR ACCUMCUSUM CUSUM INCONTROL
8/15/2015 0:00 STAT 95 95 0.243851 2.43851 93.539915 93.539915 2.43851 FALSE
8/15/2015 0:05 STAT 87 91 0.243851 2.43851 89.539915 183.07983 2.43851 FALSE
8/15/2015 0:10 STAT 94 92 0.243851 2.43851 90.539915 273.619745 2.43851 FALSE
8/15/2015 0:15 STAT 89 91.25 0.243851 2.43851 89.789915 363.40966 2.43851 FALSE
8/15/2015 0:20 STAT 94 91.8 0.243851 2.43851 90.339915 453.749575 2.43851 FALSE
8/15/2015 0:25 STAT 92 91.833333 0.243851 2.43851 90.373248 544.122823 2.43851 FALSE
8/15/2015 0:30 STAT 89 91.428571 0.243851 2.43851 89.968486 634.091309 2.43851 FALSE
8/15/2015 0:35 STAT 84 90.5 0.243851 2.43851 89.039915 723.131224 2.43851 FALSE
8/15/2015 0:40 STAT 84 89.777778 0.243851 2.43851 88.317693 811.448917 2.43851 FALSE
Here is what I want to see:
READING_DATETIME SENSOR FREQUENCY AVGFREQ K H ZBAR ACCUMCUSUM CUSUM INCONTROL
8/15/2015 0:00 STAT 95 95 0.243851 2.43851 93.539915 2.43851 2.43851 FALSE
8/15/2015 0:05 STAT 87 91 0.243851 2.43851 89.539915 2.43851 2.43851 FALSE
8/15/2015 0:10 STAT 94 92 0.243851 2.43851 90.539915 2.43851 2.43851 FALSE
8/15/2015 0:15 STAT 89 91.25 0.243851 2.43851 89.789915 2.43851 2.43851 FALSE
8/15/2015 0:20 STAT 94 91.8 0.243851 2.43851 90.339915 2.43851 2.43851 FALSE
8/15/2015 0:25 STAT 92 91.833333 0.243851 2.43851 90.373248 2.43851 2.43851 FALSE
8/15/2015 0:30 STAT 89 91.428571 0.243851 2.43851 89.968486 2.43851 2.43851 FALSE
8/15/2015 0:35 STAT 84 90.5 0.243851 2.43851 89.039915 2.43851 2.43851 FALSE
8/15/2015 0:40 STAT 84 89.777778 0.243851 2.43851 88.317693 2.43851 2.43851 FALSE
Similar if the ZBAR was a negative value, limit the accumulation of CUSUM to 0.
... View more
08-17-2015
01:03 PM
I tried that, but the variable used in the streamstats is not one you can alter.
... View more
08-17-2015
11:34 AM
We are running a CUSUM function where we do not want the value to run away either too high or too low (negative). Ideally we would like the bottom end of this one sided CUSUM to be 0 and the top side to be the value of the decision limit. I have tried using the technique where you accum a variable, but I can only get that to work on the low side.
... View more
- Tags:
- range
- streamstats
- sum
07-02-2015
02:24 PM
1 Karma
I figured it out. It is a combination of eval and if:
min(eval(if(status=="LOGOUT", _time,NULL)))
Thanks for getting me on the right track!
... View more
07-02-2015
02:02 PM
I tried this, the logout_time is empty. Not sure why the "if" statements isn't working. I even tried if(1==1, _time, NULL).
... View more
07-02-2015
12:14 PM
This was giving me an error:
min(eval(status=="LOGOUT", _time,NULL)) as logout_time
I think you meant:
min(if(status=="LOGOUT", _time,NULL)) as logout_time
This did not produce an error, but is not returning what I need either.
Thanks
... View more
07-02-2015
11:03 AM
I have a search where I want to get the first time an event comes in from a source, then find out the first event from that same source with a specific status. For instance, if I want to find out the first time a user logs in and then the first time he signs out to determine total sessions time. Keep in mind that there may be other events from that user during the session which are producing different stats.
What I need is the ability to find the first time using conditional min():
blah blah... | stats min(_time) as login_time, min(eval status="LOGOUT"), _time) as logout_time | ... blah blah blah
... View more
- Tags:
- conditionals
- min
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-23-2021
11:45 AM
|
