#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

where's the right place to suggest improvements?

JeToJedno
Explorer
‎12-05-2017 04:31 AM

I have two frequent needs which are unnecessarily difficult to do in Splunk:

example 1:
... | appendpipe [ where type="A" | makecontinuous span=1m _time | where ISNULL(type) | eval type="A" ]
| appendpipe [ where type="B" | makecontinuous span=1m _time | where ISNULL(type) | eval type="B" ]
| appendpipe [ where type="C" | makecontinuous span=1m _time | where ISNULL(type) | eval type="C" ]
| appendpipe [ where type="D" | makecontinuous span=1m _time | where ISNULL(type) | eval type="D" ] ...

example 2:
... | appendpipe [ stats COUNT AS count_up BY _time, type ]
| appendpipe [ eval _time=_time+duration | stats COUNT AS count_down BY _time, host ]
| where ISNOTNULL(count_up) OR ISNOTNULL(count_down)
| stats SUM(count_up) AS count_up SUM(count_down) AS count_down BY _time, host
| eval concurrent_change=count_up-count_down
| streamstats global=false SUM(concurrent_change) AS concurrency BY host ...

(not perfect, but good enough)

Both makecontinuous and concurrency commands would be much improved (and the reports run faster) by the addition of a BY clause.

Where should I post this suggestion?

Tags (1)
0 Karma
Reply

lycollicott
Motivator
‎12-05-2017 06:26 AM

You need to open a support case for enhancement requests....

alt text

Preview file
20 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...