Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What does the Pain field indicate in this app

joemo
Splunk Employee
Splunk Employee
‎01-23-2024 08:06 AM

I am using the Sideview App trying to monitor usage by users.  There is a Pain field in the User Activity report.  Does anyone know what this Pain field is trying to show?

Labels (1)
Labels
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎01-28-2024 03:50 PM

Hello !

Sorry I don't think I ever realized that in the new Answers, app developers don't actually get notified when there is a question about their apps.  So I only saw this question because @tscroggins    @'ed me directly.  (thanks by the way).   Going forward I have now "subscribed" to my own app so although that seems weird, perhaps it will help.

The "pain" field is actually calculated from a macro in the app called "estimate_pain", and you are free to try out some modifications.    What ships is a somewhat complex thing that depends on total_run_time, the ratio of scan_count to event_count,    has_index_term,  has_pre_command,    various logic around which command is the first_transforming command, (strongly penalizing things like "table"),  also avg_pct_memory   max_mem_used.

There are also some exceptions poked in the logic,  for instance if the first command is metadata or makeresults it kind of short circuits some of the logic.  likewise if the first_transforming command is "head" etc.

The INTENTION is that high "pain" correlates strongly with the sort of searches that the Splunk deployment's admins would want to know about, so they could go educate or help that user do something less awful.


I am super curious for what you see,  what your reaction is and suggestions are.  Answers is fine so we can talk on there.  Note however that on the landing page of the sideview_ui app it also exhorts you the user to email anyuthing and everything to sideview_ui@sideviewapps.com or to post your question on the app's channel on the Splunk community slack

I hope that helps, and please send in any and all feedback, in any area and in any quantity.   Thanks.

Reply

tscroggins
Influencer
‎01-27-2024 07:37 PM

At a glance, it's a score calculated from _audit data based on search run time, the absence of an index predicate, the presence of prestats transforming commands, the position of other transforming commands, memory use, and the presence of an initial makeresults or metadata command. Pain is inversely proportional to efficiency.

@sideview may be lurking. Have you tried contacting them directly?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...