Hi,
I'm a first time splunk user trying to figure out how to do the following:
I have data describing devices, the devices are either "on" or "off" on any given day. I want to search for the ID's of the devices that are "off" on a specific day (let's call them my "new_set") and then track those (and only those) devices over time and output a count of how many of those devices in new_set are "on" and how many are "off" on each subsequent day.
Illustration, on day 0 I might find 200,000 devices that are "off" out of a total of 500,000 devices; then I want to count on each subsequent day how many of those specific 200,000 devices are "on" and how many are "off". It may look like this
Day 0: 200,000 off; 300,000 on
Then, I find the ID's of those 200,000 and call this new_set and then track only them ( I no longer care about the devices that are not in "new_set"):
Day 0: 200,000 off; 0 on
Day 1: 199,000 off: 1,000 on
Day 2: 197,000 off: 3,000 on
Day n: .....
I have tried using a Join command (inner), which eventually works, however the search is very slow / inefficient and I think there must be a more efficient way?
Does anyone have some recommendations or thoughts?
... View more