Activity Feed
- Posted Re: Special Days - Public Holidays available in Splunk? on Splunk ITSI. 08-24-2020 03:27 AM
- Karma Re: Special Days - Public Holidays available in Splunk? for to4kawa. 08-24-2020 03:27 AM
- Posted Special Days - Public Holidays available in Splunk? on Splunk ITSI. 08-24-2020 02:12 AM
- Tagged Special Days - Public Holidays available in Splunk? on Splunk ITSI. 08-24-2020 02:12 AM
- Posted Re: Alphabetically sorting a MVfield on Splunk Search. 06-22-2020 01:45 AM
- Posted Alphabetically sorting a MVfield on Splunk Search. 06-19-2020 05:43 AM
- Posted Re: Summing values inside mvfield on Splunk ITSI. 06-19-2020 04:36 AM
- Posted Re: Summing values inside mvfield on Splunk ITSI. 06-19-2020 04:35 AM
- Karma Re: Summing values inside mvfield for bowesmana. 06-19-2020 04:35 AM
- Tagged Re: Summing values inside mvfield on Splunk ITSI. 06-19-2020 04:35 AM
- Posted Summing values inside mvfield on Splunk ITSI. 06-18-2020 07:44 AM
- Karma Re: Best practice dedup: should I use it as early as possible, or postpone it since it is non-streaming? for koshyk. 06-05-2020 12:50 AM
- Posted Re: Best practice dedup: should I use it as early as possible, or postpone it since it is non-streaming? on Splunk Search. 05-27-2019 03:07 AM
- Posted Best practice dedup: should I use it as early as possible, or postpone it since it is non-streaming? on Splunk Search. 05-27-2019 02:48 AM
- Tagged Best practice dedup: should I use it as early as possible, or postpone it since it is non-streaming? on Splunk Search. 05-27-2019 02:48 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 |
08-24-2020
02:12 AM
Hi Splunk Users, I'm working to implement some specialdays in a StateSpaceForecast model and I was hoping to add days like easter and christmas into the model. I was wondering if there are resources in splunk that give me the exact date of easter for the current year, of would I have to import this information from an external source (and put it in a lookup)? Any ideas are welcome Cheers, Roelof
... View more
06-22-2020
01:45 AM
Hi Richgalloway, thanks for the reply, the atachment in the main question shows the erroneous results, with the tasks sorted alphabetically instead of matched with the timestamp, so for example for id number 1 there are 6 tasks and 6 time stamps, the stats command (placing both columns inside stats) gives: sysmodtime, task_name, idnumber 05/04/20 12:00 PM, five, 4 05/03/20 12:00 PM, four, 05/03/20 12:01 PM, one, 05/03/20 12:02 PM, six. 05/03/20 12:40 PM, three, 05/03/20 12:50 PM, two, whereas the order should be simply; one, two, three, four, five, six Solutions that make a new field using sysmodtime and task_name fail since number of tasks and number of sysmodtime are not equal in all cases.
... View more
06-19-2020
05:43 AM
Hi All, I'm trying to combine a number of fields using: | stats values(task_name) as task_name by idnumber This works great when it comes to timestamps associated with the idnumber, but for the tasks associated with it, splunk sorts it alphabetically. This leads to problems down the line when we try to see which task was executed first. Part of the problem is that the number of timestamps can differ from the number of tasks so to make a new field with timestamp and task combined does not work. #original data: sysmodtime,task_name,idnumber 05/01/20 12:00 PM,one,1 05/01/20 12:01 AM,two,1 05/01/20 12:02 AM,two,1 05/01/20 12:02 AM,two,1 05/02/20 12:00 PM,one,2 04/02/20 12:00 AM,one,2 04/02/20 01:00 AM,one,2 04/02/20 02:00 AM,one,3 05/04/20 12:00 PM,one,4 05/03/20 12:00 PM,two,4 05/03/20 12:01 PM,three,4 05/03/20 12:02 PM,four,4 05/03/20 12:40 PM,five,4 05/03/20 12:50 PM,six,4 #the conflicting results after stats command (see attachment) Any advice would be welcome Cheers, Roelof
... View more
Labels
- Labels:
-
Other
06-19-2020
04:36 AM
Thanks for the reply, streamstats was indeed helpful, I've accepted the other reply as answer though for its completeness
... View more
06-19-2020
04:35 AM
This worked perfectly, thank you very much, I've only added a strftime to convert epoch into hours and minutes: | eval time_diff=strftime(mvindex(time_diff,1,-1),"%H:%M:%S")
... View more
- Tags:
- other
06-18-2020
07:44 AM
Hi All, I am trying to substract values (timestamps) of an mv field, but they are of differing lengths; ## example data: sysmodtime,idnumber,epoch time 05/03/20 12:40 PM,1,1588502400 05/01/20 12:01 AM,1,1588284060 05/01/20 12:02 AM,1,1588284120 05/01/20 12:02 AM,1,1588284120 05/02/20 12:00 PM,2,1588413600 04/02/20 12:00 AM,2,1585778400 04/02/20 01:00 AM,2,1585782000 04/02/20 02:00 AM,3,1585785600 ##desired outcome: = new field time-diff at the end: sysmodtime,idnumber,epoch time,time_diff 05/03/20 12:40 PM,1,1588502400,218340 05/01/20 12:01 AM,1,1588284060,-60 05/01/20 12:02 AM,1,1588284120,0 05/01/20 12:02 AM,1,1588284120,empty 05/02/20 12:00 PM,2,1588413600,2635200 04/02/20 12:00 AM,2,1585778400,-3600 04/02/20 01:00 AM,2,1585782000,empty 04/02/20 02:00 AM,3,1585785600,empty ------------------------------- The original data is about 200.000 rows long, so we are looking for a structural solution. Is there a simple way to loop through the timestamp value inside the mvfield and substract it and place it in a new field Any suggestions would be very welcome, Cheers, Roelof
... View more
Labels
- Labels:
-
Other
05-27-2019
03:07 AM
Hi Koshyk,
Thank you for the quick reply, just a follow up: this means that if I rename before stats or dedup it would take more time? And this would be the case since it is renaming over a larger dataset than if it was excuted after stats/dedup?
... View more
05-27-2019
02:48 AM
In the fundamentals 1 course lab 8 tells us to:
"As a best practice and for best performance, place dedup as early in the search as possible." (page 4)
But the quick refence guide tells us that:
"Postpone commands that process over the entire result set (non-streaming commands) as late as possible in your search. Some of these commands are: dedup, sort, and stats" (page2)
the example command they give in lab 8 places dedup in front of the distributable streaming command 'rename':
index=main sourcetype="access_combined_wcookie" action=purchase status=200 file="success.do"
| dedup JSESSIONID
| table JSESSIONID, action, status
| rename JSESSIONID as UserSessions
Would it not make sense to place dedup after rename? I guess 'as early as possible' is ambiguous anyways, but any input on where to place dedup would be greatly appreciated,
Cheers,
Roelof
... View more
- Tags:
- splunk-enterprise