Can you do double counting in Splunk via time_span? I want to count the number of hits of number of fruits sold in an hour.
My code:
|bucket _time span=1h |eventstats count as count_in_an_hour by fruit time |stats count as count_count by fruit |table fruit count count_count |sort count_count count
I can run this with a bit of data; but because I have a huge number of data, it's taking very long and taking up a lot of space resulting in "not enough space error".
My sample set of data,
name fruit location time
mary apple east 5.10
ben pear east 6.10
peter pear east 5.50
ben apple north 7.10
ben mango north 7.40
peter mango north 5.30
mary orange north 7.20
alice pear north 7.20
janet pear north 7.20
janet mango west 6.30
janet mango west 5.50
peter mango west 4.20
janet pear west 5.50
You can try asking your admin to increase your disk space limit, if that's the limiting factor.
If your admin has enabled the search_process_memory_usage_threshold setting then ask for the threshold to be increased.
Perhaps a better option is to reduce the number of results processed. You can do that in a few ways:
Use a smaller time window
Use the fields command early to reduce the amount of data
processed
Make the base search as specific as possible to reduce the amount of data processed
For example:
index=foo name=* fruit=* earliest=-24h
| fields _time name fruit
| bucket _time span=1h
| eventstats count as count_in_an_hour by fruit time
| stats count as count_count by fruit
| sort count_count count_in_an_hour
| table fruit count_in_an_hour count_count