fighting the lack of good ideas
Had a customer recently ask about to disaggregate a Splunk search that had aggregated fields because they export to CSV horribly. Here’s the thing. You can’t disaggregate aggregated fields. And there’s a Good Reason™ too: aggregation, by definition, is a one-way street. You can’t un-average something. Average is an aggregation function. So why would you…
Splunk’s | stats functions are incredibly useful and powerful. There are two, list and values that look identical…at first blush. But they are subtly different. Here’s how they’re not the same. values is an aggregating, uniquifying function. list is an aggregating, not uniquifying function. “Whahhuh?!” I hear you ask. Here’s a prime example – say…
I first ran into this on Solaris in the context of [then] Opsware SAS (then HP SA, now owned by Microfocus). Bind mounts might be OK … so unless the tarball has symlinks included, don’t use them – they get traversed differently than “real” directories. In short, when directory traversals are done, sometimes it looks…
Yesterday I wrote-up a neat little find in Splunk wherein running stats count by … is substantially faster than running dedup …. After some further reflection over dinner, I figured out the major portion of why this is – and I feel a little dumb for not having thought of it before. (A coworker added some…
continue “more thoughts on `|stats` vs `|dedup` in splunk” »
It’s fairly common to want to table the data you’ve found in a search in Splunk – heck, if you’re not prettying the data up somewhy, why are you bothering with the tool? But I digress. There are two (at least) ways of making a table – you can use the |table <field(s)> syntax, or…