https://community.splunk.com/t5/Reporting/Working-with-dynamically-named-fields-extract/m-p/50731#M10249 <P>I have a script which runs every minute to extract information from squid logs. I'm not interested in actually indexing the data from squid (far too much data) so instead I'm indexing a single line every minute showing the response code statistics from the last minute, for example:</P> <P>HTTP0:43 HTTP200:19 HTTP301:4 HTTP302:1 HTTP304:46 HTTP403:5 HTTP404:5</P> <P>Note that the inclusion of codes can vary line by line.</P> <P>Ultimately I'd like to generate total hits and percentage of hits for each status. I've gotten this far:</P> <PRE><CODE>index=myindex sourcetype=squid | extract pairdelim=" ", kvdelim=":", auto=f | stats sum(HTTP*) | addtotals fieldname=TotalHits | rename sum(*) as * </CODE></PRE> <P>which returns something like (contrived output - generally there will be several more fields, HTTP404, 5XX, etc)</P> <PRE><CODE>HTTP0 HTTP200 HTTP206 HTTP301 TotalHits 4322 1234 777 555 6888 </CODE></PRE> <P>What I'd like to do is generate a percentage field for each of the HTTP* columns. I know that eval doesn't handle wildcards, so that doesn't appear to be an option. Is there a way to simply tell splunk to multiply/divide all columns matching a prefix by a value from another field??</P> Tue, 05 Mar 2013 00:47:08 GMT jbmchuck 2013-03-05T00:47:08Z https://community.splunk.com/t5/Reporting/Working-with-dynamically-named-fields-extract/m-p/50731#M10249 <P>I have a script which runs every minute to extract information from squid logs. I'm not interested in actually indexing the data from squid (far too much data) so instead I'm indexing a single line every minute showing the response code statistics from the last minute, for example:</P> <P>HTTP0:43 HTTP200:19 HTTP301:4 HTTP302:1 HTTP304:46 HTTP403:5 HTTP404:5</P> <P>Note that the inclusion of codes can vary line by line.</P> <P>Ultimately I'd like to generate total hits and percentage of hits for each status. I've gotten this far:</P> <PRE><CODE>index=myindex sourcetype=squid | extract pairdelim=" ", kvdelim=":", auto=f | stats sum(HTTP*) | addtotals fieldname=TotalHits | rename sum(*) as * </CODE></PRE> <P>which returns something like (contrived output - generally there will be several more fields, HTTP404, 5XX, etc)</P> <PRE><CODE>HTTP0 HTTP200 HTTP206 HTTP301 TotalHits 4322 1234 777 555 6888 </CODE></PRE> <P>What I'd like to do is generate a percentage field for each of the HTTP* columns. I know that eval doesn't handle wildcards, so that doesn't appear to be an option. Is there a way to simply tell splunk to multiply/divide all columns matching a prefix by a value from another field??</P> Tue, 05 Mar 2013 00:47:08 GMT https://community.splunk.com/t5/Reporting/Working-with-dynamically-named-fields-extract/m-p/50731#M10249 jbmchuck 2013-03-05T00:47:08Z https://community.splunk.com/t5/Reporting/Working-with-dynamically-named-fields-extract/m-p/50732#M10250 <P>Oh my god. This is gold :</P> <P>rename sum(*) as *</P> Tue, 05 Mar 2013 07:57:52 GMT https://community.splunk.com/t5/Reporting/Working-with-dynamically-named-fields-extract/m-p/50732#M10250 jonuwz 2013-03-05T07:57:52Z https://community.splunk.com/t5/Reporting/Working-with-dynamically-named-fields-extract/m-p/50733#M10251 <P>Using the <A href="http://splunk-base.splunk.com/apps/76026/scale-command">http://splunk-base.splunk.com/apps/76026/scale-command</A> you can do this:</P> <PRE><CODE>... stats ... addtotals ... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" inverse=t | rename ... </CODE></PRE> Thu, 07 Mar 2013 13:24:29 GMT https://community.splunk.com/t5/Reporting/Working-with-dynamically-named-fields-extract/m-p/50733#M10251 martin_mueller 2013-03-07T13:24:29Z