I have two frequent needs which are unnecessarily difficult to do in Splunk:
example 1:
... | appendpipe [ where type="A" | makecontinuous span=1m _time | where ISNULL(type) | eval type="A" ]
| appendpipe [ where type="B" | makecontinuous span=1m _time | where ISNULL(type) | eval type="B" ]
| appendpipe [ where type="C" | makecontinuous span=1m _time | where ISNULL(type) | eval type="C" ]
| appendpipe [ where type="D" | makecontinuous span=1m _time | where ISNULL(type) | eval type="D" ] ...
example 2:
... | appendpipe [ stats COUNT AS count_up BY _time, type ]
| appendpipe [ eval _time=_time+duration | stats COUNT AS count_down BY _time, host ]
| where ISNOTNULL(count_up) OR ISNOTNULL(count_down)
| stats SUM(count_up) AS count_up SUM(count_down) AS count_down BY _time, host
| eval concurrent_change=count_up-count_down
| streamstats global=false SUM(concurrent_change) AS concurrency BY host ...
(not perfect, but good enough)
Both makecontinuous and concurrency commands would be much improved (and the reports run faster) by the addition of a BY clause.
Where should I post this suggestion?
