Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Synthesizing sistats in search results
I have a service that drops a stats line every minute on every host on 20+ hosts. If I use sistats I lose information on the true count of events and things like "top fieldvalue" do not work as expected. I believe that with the correct set of evals I can produce the correct set of summary fields to have si comparable results.
looking at si generated data from sistas fields, I have deduced the following meanings but need further clarification:
psrsvd_ct_FIELDNAME = count
psrsvd_nc_FIELDNAME = Also Count?
psrsvd_sm_FIELDNAME = sum
psrsvd_ss_FIELDNAME = sum of squars
psrsvd_vt_cnt = ?? some kind of variance ??
So is ct = count, what is nc really for, what formula do you use for SS (does it include std-dev or is it a simple sum of squares), and what is vt?
psrsvd_ct_FIELDNAME = count
psrsvd_nc_FIELDNAME = Also Count?
psrsvd_sm_FIELDNAME = sum
psrsvd_ss_FIELDNAME = sum of squars
psrsvd_vt_cnt = ?? some kind of variance ??
So is ct = count, what is nc really for, what formula do you use for SS (does it include std-dev or is it a simple sum of squares), and what is vt?
The application dumping the stats is in-house and I can add sum of squares values if needed to be compatible and then aggregate the stats and produce si compatible results.
Since the hosts are behind a load balancer and for these results I do not care about the per host values, just the platform values which is why I am aggregating values in splunk.
Also my analysis seems to indicate that the results from the sistats command do not care which operator you use but all produce the same field set for any fields used in an aggregation operator. If this is true then than would mean I could later ask for the average of a field when I only initially wanted the sum in the sistats command.
Thanks in advance for the help,
Blaine
Tags: aggregate, aggregation, index, sistats, stats, summary
Views: 16
© 2012 Created by Michael Wilde.
