SPLUNK LIFE

That happened: episode 15

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: making the percentages add up, real estate speculation, short but sweet, lookups science, and robot relationships.

Math is hard

30 Helens^WAyns agree:

<Drainy> how’s everyone today?
<Ayn> good. looking into optimizing searches with streamstats
<Drainy> oh how exciting
<Drainy> you can give me a lesson sometime
<Ayn> streamstats offers a bit more magic than what i can comprehend just yet
<Drainy> I’ve only used it where I have multiple fields of the same name within an event
<Ayn> or well, i THINK i know what it does, but i’m only 90% sure
<Drainy> thats an 80% improvement on me
<Ayn> if we join forces that’ll be 170% 😀
<Ayn> oh wait, that’s horrible math!
<Ayn> but 100% at least, that’s just as good
<Drainy> we can be 170%, it means we’re awesome +70% – mathematically speaking

The best strip mall ever

Cerby decides to get into commercial real estate:

<cerby> The Spunk gym opened up next to my office
<cerby> i want the Splunk office to move next to it
<cerby> and if that happened, I would open up a cave exploration company next to Splunk
<cerby> just to get a picture of that set of signs 😀
<cerby> I’d call my company Spelunk.

Snippets of lol

Some classic brief interludes:

<Drainy> Did you know that 85% of pie charts resemble Pacman?

<^Brian^> jrodman: if you get a second, can I pick your brain?
<^Brian^> not your brian..cause that would be awkward 😛

<Ayn> it’s scary how you could correlate the days when i have reports to write, and the days that i’m most active on irc

<Drainy> Just had to get a reference from my old boss at the helium factory, luckily he spoke very highly of me
<tomb1> noble of him

As deep as any ocean

Madscient drops eval and stats knowledge:

<wilco> Could someone verify if my approach is sound? I have two services, a deprecated and a new, both of which log a username upon login. The new service has more than 10k, so subsearch is out.
<wilco> I want to search for distinct users in the new service, write new_service_username to a lookup CSV
<splunkmas> Yeah, that sounds like an easy way to do it
<wilco> Then I can search for users in the old service which don’t have the new_service_username
<wilco> thanks
<splunkmas> Well
<wilco> Are there better ways?
<splunkmas> You could do it the other way around. Distinct users being users that have touched the new service, and not the old one, correct?
<splunkmas> I would write the old service to a csv and then do a search where NOT in the csv
<wilco> Ah, well, what I want is users who are still using the old service but have not used the new at all
<splunkmas> Oh
<splunkmas> :-) Then you win
<wilco> sorry, forgot that important part about what I want in the end :)
<HuckWeed> lol
<madscient> wilco:   you can do it all at once with some eval and stats,  and not have any intermediate lookup
<wilco> how so? I’ve got it working now w/the lookup
<madscient> wilco:  off top of head,   source=”old” OR source=”new” | eval normalizedUserId=if(source==”old”,oldUserIdField,normalizedUserId) | eval normalizedUserId=if(source==”new”,newUserIdField,normalizedUserId) | stats values(source) as source by normalizedUserId | where source!=”new”
<wilco> madscient: Thanks; I’ll give that a shot
<madscient> i didn’t check it for typos.  there probably is one.   of course if the id fields are the same, you dont need those normalizing eval statements.
<realRDC> he blinded me with scient

Chat harder

Few things are sadder than having your own robot forget your name:

<Coccyx> ok so I have a problem
<Coccyx> I’m no longer on the Splunkbot top talkers or most mentioned charts
<Coccyx> that’s totally fail, I must find more time to goof off in #splunk
<@cgales> Coccyx: how
<@cgales> Coccyx: can
<@cgales> Coccyx: we
<@cgales> Coccyx: help?
<Coccyx> lol

----------------------------------------------------
Thanks!
rachel perkins

Splunk
Posted by

Splunk

Join the Discussion