This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: making the percentages add up, real estate speculation, short but sweet, lookups science, and robot relationships.
Math is hard
<Drainy> how’s everyone today?
<Ayn> good. looking into optimizing searches with streamstats
<Drainy> oh how exciting
<Drainy> you can give me a lesson sometime
<Ayn> streamstats offers a bit more magic than what i can comprehend just yet
<Drainy> I’ve only used it where I have multiple fields of the same name within an event
<Ayn> or well, i THINK i know what it does, but i’m only 90% sure
<Drainy> thats an 80% improvement on me
<Ayn> if we join forces that’ll be 170% 😀
<Ayn> oh wait, that’s horrible math!
<Ayn> but 100% at least, that’s just as good
<Drainy> we can be 170%, it means we’re awesome +70% – mathematically speaking
The best strip mall ever
Cerby decides to get into commercial real estate:
<cerby> The Spunk gym opened up next to my office
<cerby> i want the Splunk office to move next to it
<cerby> and if that happened, I would open up a cave exploration company next to Splunk
<cerby> just to get a picture of that set of signs 😀
<cerby> I’d call my company Spelunk.
Snippets of lol
Some classic brief interludes:
<Drainy> Did you know that 85% of pie charts resemble Pacman?
<^Brian^> jrodman: if you get a second, can I pick your brain?
<^Brian^> not your brian..cause that would be awkward 😛
<Ayn> it’s scary how you could correlate the days when i have reports to write, and the days that i’m most active on irc
<Drainy> Just had to get a reference from my old boss at the helium factory, luckily he spoke very highly of me
<tomb1> noble of him
As deep as any ocean
<wilco> Could someone verify if my approach is sound? I have two services, a deprecated and a new, both of which log a username upon login. The new service has more than 10k, so subsearch is out.
<wilco> I want to search for distinct users in the new service, write new_service_username to a lookup CSV
<splunkmas> Yeah, that sounds like an easy way to do it
<wilco> Then I can search for users in the old service which don’t have the new_service_username
<wilco> Are there better ways?
<splunkmas> You could do it the other way around. Distinct users being users that have touched the new service, and not the old one, correct?
<splunkmas> I would write the old service to a csv and then do a search where NOT in the csv
<wilco> Ah, well, what I want is users who are still using the old service but have not used the new at all
<splunkmas> Then you win
<wilco> sorry, forgot that important part about what I want in the end
<madscient> wilco: you can do it all at once with some eval and stats, and not have any intermediate lookup
<wilco> how so? I’ve got it working now w/the lookup
<madscient> wilco: off top of head, source=”old” OR source=”new” | eval normalizedUserId=if(source==”old”,oldUserIdField,normalizedUserId) | eval normalizedUserId=if(source==”new”,newUserIdField,normalizedUserId) | stats values(source) as source by normalizedUserId | where source!=”new”
<wilco> madscient: Thanks; I’ll give that a shot
<madscient> i didn’t check it for typos. there probably is one. of course if the id fields are the same, you dont need those normalizing eval statements.
<realRDC> he blinded me with scient
<Coccyx> ok so I have a problem
<Coccyx> I’m no longer on the Splunkbot top talkers or most mentioned charts
<Coccyx> that’s totally fail, I must find more time to goof off in #splunk
<@cgales> Coccyx: how
<@cgales> Coccyx: can
<@cgales> Coccyx: we
<@cgales> Coccyx: help?