Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

table of intermediary results

olivier_romain
Engager
‎12-26-2012 05:13 AM

Hello,

I am trying to build an application dealing with statistics with Splunk. However, I can't find the right way to do so.

Every 15 mn 1 get an event from which I can extract several values. let's call them val1, val 2 ... valN.

What I would like to do is to create a table containing the variance V1 of all past values of val1 in column1 ; variance V2 of all past values of val2 in column2 ; ... ; variance VN of all past values of valN in columnN

I need to store this table somehow in Splunk, so that I can search it. Of course this table would be updated evey 15 mn as new events are used to compute the variances.

Could you tell me how to proceed to do such thing?

That would be very helpfull.

Thanks in advvance,

Olivier

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎12-26-2012 03:40 PM

Hi there-

I'm not sure what you've tried already but you have several options:

  1. You can utilize Splunk's lookup functionality by:
    a. write the data you want to save out to a csv file, using the outputlookup command, http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup
    b. read the data back in from the file using the inputlookup command, http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup

  2. Schedule the search that you've created, to extract your values, and choose to write them to a summary index. You can then search that summary index for the relevant values.

Although option 2 is valid, it may be overkill, depending on how you want to manage your data. I would start out with the first option and see if that does what you need it to.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...