At home, I'm splunking and analyzing winning Texas lottery numbers with Splunk installed on my macbook pro. I downloaded a csv file from the Texas Lotto page which contain the winning numbers for the past ten years. My hope is to determine which numbers are most likely to be selected as the winning numbers during the next lotto game.
This is a sample of the data:
Sat, Oct 5 2013, 5, 10, 31, 32, 34, 44
Wed, Oct 2 2013, 5, 13, 21, 26, 44, 45
Sat, Sep 28 2013, 2, 9, 13, 23, 31, 46
Wed, Sep 25 2013, 15, 20, 39, 41, 44, 50
Sat, Sep 21 2013, 3, 7, 8, 21, 31, 36
Wed, Sep 18 2013, 16, 27, 34, 42, 44, 46
Sat, Sep 14 2013, 7, 8, 22, 35, 37, 52
Wed, Sep 11 2013, 7, 10, 21, 25, 38, 42
Sat, Sep 7 2013, 7, 13, 24, 36, 42, 53
Wed, Sep 4 2013, 3, 13, 15, 20, 38, 50
The search I use looks like this:
| set intersect
[ | set diff
[search sourcetype="lotto" (month=10 year=2013)
| rex max_match=6 ",(? ((?!(.*?,){6})\d+))"
| eventstats values(aaa) as aaa
| dedup aaa| mvexpand aaa
| table aaa
]
[ search sourcetype="lotto"
| eval aaa = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54"
| makemv delim=" " aaa
| mvexpand aaa
| table aaa] | dedup aaa
]
[search sourcetype="lotto" (NOT month=10 year=2013)
| rex max_match=6 ",(? ((?!(.*?,){6})\d+))"
| stats count by aaa
| sort - count
| head 10
| table aaa
]
| rename aaa as "numbers picked THE MOST in all months in 2013, expect for this month"
I'm basically finding all the numbers that were NEVER picked this month and yet were picked THE MOST throughout the rest of the year. Odds suggest that these are the numbers most likely to be picked this month. Of course, some say it does not matter. Oh well, it was fun trying to figure out this search anyway. good practice.
Another thing I do is actually use Splunk as a Quick Pick generator.
Here is my search that does my quick pick for me:
* | eval aaa = round((random()/random())*100)
| search aaa>0 aaa<55
| dedup aaa
| table aaa
| head 6
| stats list(aaa) as aaa
| eval aaa = mvjoin(aaa," ")
| rename aaa as "Quick Pick"
Anyway, it's gonna be so cool when I WIN the lottery and can say that Splunk helped me do it.
... View more