- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Data sampled at different rates .. "expand" one to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two sets of data in splunk -- every 10 minutes we get a host and watts measurement; every hour we get a host and cpu-model measurement (actually a constant, but we repeat it every hour).
How can I get the different data rates to match? i.e. can I add events that copy the slow/cpumodel data to a 10-min frequency; or can I do a subsearch for each fast/watts event, looking up the last slow/cpumodel event?
Not sure if this will render properly, but here's a cut-and-paste of the data from a simple "watts OR cpumodel" search:
1 5/9/13
3:19:26.000 PM
May 9 15:19:26 igspncbc-n16 duologger.pl[4028]: xid=1368127165 nfs_write=0.52 load_long=4.99 packets_out=2626.34 watts=236 virtual_free=35184026606592
host=igspncbc-n16 Options| sourcetype=syslog Options| source=/var/log/local4 Options
2 5/9/13
3:19:25.000 PM
May 9 15:19:25 igspnih-n66 duologger.pl[20519]: xid=1368127164 nfs_write=651.92 load_long=3.92 packets_out=32244.3 watts=224 virtual_free=35184026606592
host=igspnih-n66 Options| sourcetype=syslog Options| source=/var/log/local4 Options
3 5/9/13
3:19:21.000 PM
May 9 15:19:21 chdm-n01 duologger.pl[21842]: xid=1368127161 nfs_write=1.15 load_long=10.22 packets_out=1497.46 watts=96 virtual_free=35183831837696
host=chdm-n01 Options| sourcetype=syslog Options| source=/var/log/local4 Options
4 5/9/13
3:19:21.000 PM
May 9 15:19:21 core-n13 dlogger.pl[29050]: xid=1368127161 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.92.51 cpumodel=intel-xeon-e5420 num_proc=8
host=core-n13.dscr.duke.local Options| sourcetype=local-too_small Options| source=/var/log/local4 Options
5 5/9/13
3:19:19.000 PM
May 9 15:19:19 sysbio-n05 duologger.pl[4682]: xid=1368127158 nfs_write=0.2 load_long=1.79 packets_out=14.45 watts=180 virtual_free=35184024566784
host=sysbio-n05 Options| sourcetype=syslog Options| source=/var/log/local4 Options
6 5/9/13
3:19:19.000 PM
May 9 15:19:19 igspnih-n37 dlogger.pl[24071]: xid=1368127159 uname=2.6.32-279.el6.x86_64 opsys=scientific-linux-release-6.3-carbon ip=10.184.68.37 cpumodel=intel-xeon-x5550 num_proc=16
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing the CPU info is per host. You could do
... | eventstats last(cpumodel) as cpumodel by host | ...
This will make the cpumodel field available in all events for that host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any ideas if eventstats would be faster/slower than a lookup table?
I.e. I created a lookup table using another search (cpumodel | stats first(cpumodel) as cpumodel by host) | outputlookup ...) then I can use that lookup in the faster/watts search.
I would assume that using lookup would imply some caching of the values, where eventstats may involve repeated searching. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing the CPU info is per host. You could do
... | eventstats last(cpumodel) as cpumodel by host | ...
This will make the cpumodel field available in all events for that host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh ... I was trying streamstats but couldn't get it to work out right.
That seems to do the trick -- Thanks!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
