I'm collecting lots of data about a large amount of machines with the linux and unix ta (but that's a bit irrelevant with regards to this question other than to give an example). I would like splunk to answer questions like "How much of the time does.. match?" - ie. "How much of the time is cpu_load over 90 by host?" I'm accomplishing something similar with this search (although this is event-correlated, not time-correlated): sourcetype=cpu | multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | stats count(eval(Percent_CPU_Load<90)) AS below, count(eval(Percent_CPU_Load>=90)) AS over by host | eval all=below+over | eval TimeOverloaded=tostring(round(over/all*100, 2))+"%" | table host, TimeOverloaded This, however, seems like a very tedious way to get to this information. It feels like there should be a simple search command to answer these kind of questions like stat, chart etc., but I can't find it. All data in splunk is time correlated, so this should certainly be possible. If a command like this already exist, I apologize. If not, I would like to request this feature - although I'm at a loss as to how this command should be named 🙂 A search command like this would be very useful when calculating eg. SLA fulfillment. ... View more

I'm currently loading some localized CSV-files into Splunk which contains numbers formatted in a localized format (comma instead of period as decimal separator and period instead of comma as thousands separator). This format is used commonly in many countries. Are there any plans for implementing support for setting locales for inputs/sourcetypes like you can set a charset in props.conf? It would be nice if Splunk could interpret 1.234.567,89 as the same numeric value as 1,234,567.89 without having to transform the data prior to feeding it to Splunk. Currently Splunk interprets "1.234.567,89" as a string. Ideally numbers could be localized when presented depending on a language setting. However that's a bit extensive 🙂 ... View more