Can you do double counting in Splunk via time_span?
I want to count the number of hits of number of fruits sold in an hour.
My code:
|bucket _time span=1h |eventstats count as count_in_an_hour by fruit
time |stats count as count_count by fruit |table fruit count
count_count |sort count_count count
I can run this with a bit of data; but because I have a huge number of data, it's taking very long and taking up a lot of space resulting in "not enough space error".
My sample set of data,
name fruit location time
mary apple east 5.10
ben pear east 6.10
peter pear east 5.50
ben apple north 7.10
ben mango north 7.40
peter mango north 5.30
mary orange north 7.20
alice pear north 7.20
janet pear north 7.20
janet mango west 6.30
janet mango west 5.50
peter mango west 4.20
janet pear west 5.50
You can try asking your admin to increase your disk space limit, if that's the limiting factor.
If your admin has enabled the search_process_memory_usage_threshold setting then ask for the threshold to be increased.
Perhaps a better option is to reduce the number of results processed. You can do that in a few ways:
Use a smaller time window
Use the fields command early to reduce the amount of data
processed
Make the base search as specific as possible to reduce the amount of
data processed
For example:
index=foo name=* fruit=* earliest=-24h
| fields _time name fruit
| bucket _time span=1h
| eventstats count as count_in_an_hour by fruit time
| stats count as count_count by fruit
| sort count_count count_in_an_hour
| table fruit count_in_an_hour count_count
Related
I was trying to do multiple group and also adding count to new column.
My input file
OrderDate Region Rep Item Units Unit Cost Total
----------------------------------------------------------
1/6/18 East Jones Pencil 95 1.99 189.05
1/23/18 Central Kivell Binder 50 19.99 999.50
2/9/18 Central Jardine Pencil 36 4.99 179.64
2/26/18 Central Gill Pen 27 19.99 539.73
3/15/18 West Sorvino Pencil 56 2.99 167.44
4/1/18 East Jones Binder 60 4.99 299.40
4/18/18 Central Andrews Pencil 75 1.99 149.25
4/18/18 West Jones Pencil 75 1.99 149.25
I am trying to do like
Region Rep Count same/diff
-------------------------------
east jones 2 2-same
jones
central Kivell 4 >3 differnce
Jardine
Gill
Andrews
West Sorvino 2 2-different
West jones1
My code:
df1 = pd.read_excel(excel_path, sheet_name = 'SalesOrders', index_col=0)
df3 = (df1.groupby('Region')['Rep'].value_counts())
print(df3)
Please help me to do this. Thanks
In rep column, based on Region i have done group by to know Rep values. if Rep member are same then 2 same people, consider central region has 4 different people working so it i greater than 3 .
I have multiple columns listed below:
state sport size color name
florida football 1 red Max
nevada football 1 red Max
ohio football 1 red Max
texas football 1 red Max
florida hockey 1 red Max
nevada hockey 1 red Max
ohio hockey 1 red Max
texas hockey 1 red Max
florida tennis 2 green Max
nevada tennis 2 green Max
ohio tennis 2 green Max
texas tennis 2 green Max
Is there a way to combine these into arrays like the desired output below based on one column (in this case Name). Mac the results will have one record, instead of repeating and the records will be contained in an array.
state sport
[florida, nevada, ohio,texas] [football, hockey, tennis]
size color
[1,2] [red, green]
You can use collect_set.
select name,collect_set(state),collect_set(sport),collect_set(size),collect_set(color)
from tbl
group by name
You need to use collect_set. Hope this helps. Thanks.
query:
select collect_set(state),
collect_set(sport),
collect_set(size),
collect_set(color)
from myTable
where name = 'Max';
I want to know what is two-way tables in SQL?
And how can i read these two-way tables
Two-way tables is no way of storing data, but of displaying data. It doesn't say anything about how the data is stored.
Let's say we store persons along with their IQ and the country they live in. The table may look like this:
name iq country
John Smith 125 GB
Mary Jones 150 GB
Juan Lopez 150 ES
Liz Allen 125 GB
The two-way table to show the relation between IQ and country would be:
| 125 | 150
---+------+----
GB | 2 | 1
ES | 0 | 1
or
| GB | ES
----+-----+---
125 | 2 | 0
150 | 1 | 1
In order to retrieve this data from the database you might write this query:
select iq, country, count(*)
from persons
group by iq, country;
SQL is meant to retrieve data; it is not really meant to care about it's presentation, the layout. So you'd write a program (in PHP, C#, Java, whatever) sending the query to the database, receiving the data and filling a GUI grid in a loop.
In rare cases SQL can provide the layout itself, i.e. give you the data in columns and rows. This is when the attributes of one dimensions are known beforehand. This is usually not the case with IQs or countries as in the example given (i.e. you wouldn't have known which countries and which IQs are present in the table, if I hadn't shown you). But of course you could have retrieved either the countries or the IQs first and then build the main query dynamically (with conditional aggregation or pivot). Another case when values are known beforehand is booleans, e.g. a flag in the persons table to show whether a person is homeless. If you wanted results for how many homeless persons in which countries, you could easily write a query with two columns for homeless and not homeless.
As mentioned: that you can display data in a two-way table doesn't say anything about how this data is stored. Above I showed you a one table example. But let's say you have stores in many cities and want to know in which cities live thinner or thicker people. You decide to check which t-shirt sizes you sold in which cities. So you take your clients orders, look up the clients and the cities they live in. You also look up the order details and the items they refer to, then take all items of type t-shirt. There are many tables involved, but the result is again a two-sided table showing the relation of two attributes. E.g:
city | S | M | L | XL
------------+-----+-----+-----+-----
New York | 5% | 8% | 7% | 10%
Los Angeles | 10% | 7% | 7% | 8%
Chicago | 1% | 4% | 6% | 11%
Houston | 2% | 2% | 5% | 7%
In SQL Server, I have a table A as below
Name Food PreferenceOrder
------------------------------
Jon Burger 1
Jon Coke 2
Jon Pizza 3
Jon Fries 4
Sam Pizza 1
Sam Coke 2
I have another table B that can override the preference order above
Name Food PreferredOverFood
--------------------------------
Jon Pizza Fries
Jon Coke Burger
Jon Fries Coke
Sam Coke Pizza
Basically here, Food should come before PreferredOverFood (Pizza > Fries)
Now, I want to reorder table A according to Table B preferences, so the result should be like
Name Food PreferenceOrder
------------------------------
Jon Burger 4
Jon Pizza 1
Jon Fries 3
Jon Coke 2
Sam Pizza 2
Sam Coke 1
I tried by using cursors, so I created a dynamic cursor, with each fetch I am updating Table B with table A preference, but since we are updating things row by row its not considering rows that violate the previous preferences, so I am getting Fries before Pizza (since Fries > Coke is run and it forgot about first preference (Pizza > Fries)).
So dynamic cursor is not working, (its not refreshing the result set after update). Can I use CTE or something to do like above. (Can also have circular dependencies, but not too worried about it for now)
Thanks
I'm rather new at SQL programming, and still struggling with the basics. I need to extract some specific rows, from a specified string of IDs.
ID Product City
1 Apple London
2 Banana Berlin
3 Orange Berlin
4 Orange Paris
5 Apple Paris
6 Banana Copenhagen
7 Banana Copenhagen
8 Banana London
9 Apple Paris
10 Orange London
11 Apple Berlin
12 Apple Copenhagen
13 Apple Paris
If I need to select ID=1,2,5,6,10,11,13 how do I extract these specific rows from the database?
I'm using SQLite.
Thanks in advance.
You should use the in clause
select * from your_table
where id in (1,2,5,6,10,11,13)