- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Grab only last X number of values from a trans...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
How can I only grab the last two distinct values from a single transaction.
For example: Search this within 24 hr period will give me a several connection values.
{Search} | transaction by Server | stats values(connection) by Server
I would like to dedup the connection values, and get the difference of the last two values. Let's say I have distinct connection counts 1, 3, 5, 2, 6, 9, 3, and 13. So my last two connections are 3 and 13, so their difference is 10.
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should probably not run the transaction command on large data sets, where the transactions can/will span over 24 hours.
Firstly, in your example above, you don't need the transaction. It does not add anything (apart from execution costs).
Secondly, if you only want the last two values of connection for each Server, you could use dedup to get the X number of values per field.
your search | dedup 2 Server |
Then you can move on to do the math with the values of connection - this is one of the ways to do it. (use transaction and mvindex())
your search
| dedup 2 Server
| transaction span=24h Server
| eval c1 = mvindex(connection,0)
| eval c2 = mvindex(connection,1)
| eval diff = c1 - c2
Note that the transaction will not be expensive here, since it's only operating on (2 x Server) number of events. If you want the absolute difference add | eval diff = abs(diff) at the end.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should probably not run the transaction command on large data sets, where the transactions can/will span over 24 hours.
Firstly, in your example above, you don't need the transaction. It does not add anything (apart from execution costs).
Secondly, if you only want the last two values of connection for each Server, you could use dedup to get the X number of values per field.
your search | dedup 2 Server |
Then you can move on to do the math with the values of connection - this is one of the ways to do it. (use transaction and mvindex())
your search
| dedup 2 Server
| transaction span=24h Server
| eval c1 = mvindex(connection,0)
| eval c2 = mvindex(connection,1)
| eval diff = c1 - c2
Note that the transaction will not be expensive here, since it's only operating on (2 x Server) number of events. If you want the absolute difference add | eval diff = abs(diff) at the end.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exactly what I needed. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting..... Not quite what you are after, but I wonder if this might be useful:
{search} | sort -_time | transaction Server maxevents=2
the transaction command will create a field called "duration", which will be the difference in seconds between the first and last events.
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
