![]() ![]() This will then avoid the event retention issue of max_count events because you now use a transforming command. | stats count by ica_latency_last_recorded ica_latency_session_avg idle_sec _time rĪnd that will significantly reduce your chance of ever getting count > 1 If that is an issue, you can mitigate that by introducing a random number into each event, e.g. Note that IFF you get any aggregation where count > 1 in this example, your final avg(ica_latency_session_avg) may be wrong in that you will not be taking the number of occurrences of that aggregation into account for the average. | stats count by ica_latency_last_recorded ica_latency_session_avg idle_sec search idle_sec < 300 Which then makes your base search one that contains a transforming command.įor your second example, this _may_ be sufficient. in your existing first example, you could do Often you can force your base search to use a transforming command by simply using stats and the fields you want to retain, e.g. Your base search will not be able to retain more than max_count events, therefore your results from the stats or timechart will be inconsistent. So you could make your base search something like this: indexa-index sourcetype'a-srctype' fields AccountId. However, even though you are using a transforming search in your post processor search, that's not the issue. If you really want to use a base/post-process search structure here, youll need to reference the AccountId field in your base search, or else the post-process search wont have access to it. You correctly point out the event retention issue. So is somebody can clarify the documentation you refer to | timechart span=1d avg(ica_latency_session_avg) as "Latence moyenne de la session (ms)" | fields ica_latency_last_recorded ica_latency_session_avg search idle_sec < 300 I have a misunderstanding because I use also a base search with timechart which is also a transforming command but my timechart is incomplet because I have more than 500000 events The setting defaults to 500,000.ĭoes it means that in my example I am sure to dont lose events because i use stats which is transforming commands? This search result retention limit matches the max_count setting in nf. A search that uses transforming commands like stats, chart, and timechart to transform event data returned by a search into statistical tables that can be used as the basis for charts and other kinds of data visualizations. This can generate incomplete data for the post-process search. ![]() A post-process search does not process events in excess of this 500,000 event limit, silently ignoring them. If the base search is a non-transforming search, the Splunk platform retains only the first 500,000 events that it returns. Splunk says that if we dont use a transforming command like stats, chart and timechart you can lose events if there is more than 500000 events ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |