topic Re: Dividing a value by 1000 in Splunk Search

Dividing a value by 1000

prathapkcsc — Tue, 29 Sep 2020 14:32:09 GMT

My search looks like this
base search | rex ".?(?[^,]+),\s?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+)"

| eval Total_Disk=Total_Disk/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

Here, I am dividing the Total_Disk by 1000. But, in table statistics Total_Disk not printing any values.
How to get the data according to my requirement.
Thank You

Re: Dividing a value by 1000

cmerriman — Tue, 20 Jun 2017 17:46:23 GMT

is Total_Disk a field with values coming back before your rex command? after your rex command? what does the data look like before your eval statement?

Re: Dividing a value by 1000

somesoni2 — Tue, 29 Sep 2020 14:32:42 GMT

My guess is field Total_Disk is not extracted (value is null). So try running this to confirm if the value is extracted or not. If not (field Total_Disk is null/blank), paste your sample event and query again (and make sure you select the query and click on Ctrl+K or "101010" button to apply code formatting).

base search | rex ".?(?[^,]+),\s?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+)" 
| eval Total_Disk1=Total_Disk/1000
| table _time server NODE Count CPU Total_Disk Total_Disk1 Used_Disk Total_Memory Used_Memory

Re: Dividing a value by 1000

niketn — Tue, 20 Jun 2017 18:53:53 GMT

@prathapkcsc, Please re-post your search query with code button (101010) so that special characters do not get escaped. Would it be possible for you to add some sample events as well?

If possible use Splunk Interactive Field Extraction(IFX) instead of rex to make sure that field is getting extracted as you expect. You can also test your regular expression through IFX regex101.com. (https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX)

Re: Dividing a value by 1000

prathapkcsc — Tue, 20 Jun 2017 19:06:05 GMT

base search| rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)"  
 | eval Total_Disk=Total_disk/1000 
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

This is my search

Re: Dividing a value by 1000

prathapkcsc — Tue, 20 Jun 2017 19:14:52 GMT

DataNode,Hadoop,2017-06-17,23:05,26, 0.18, 1149876, 7231, 251, 70.8462
Flume,Hadoop,2017-06-17,23:05,9, 0.23, 108345, 114, 125, 17.6667
ResourceManager,Hadoop,2017-06-17,23:05,2, 0.11, 22146,320, 125, 9
ZooKeeper,Hadoop,2017-06-17,23:05,5, 0.2, 63747, 977, 125, 10
Foyer,Hadoop,2017-06-17,23:05,2, 0.14, 22146,320, 125, 10.5
Splunk,Hadoop,2017-06-17,23:05,1, 0.06, 40959, 106, 251, 3

This is my sample data

Re: Dividing a value by 1000

prathapkcsc — Tue, 20 Jun 2017 19:17:28 GMT

base search 
 |  rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)" 

  | eval Total_Disk=Total_Disk/1000 
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

Re: Dividing a value by 1000

prathapkcsc — Tue, 20 Jun 2017 19:22:02 GMT

Total_Disk value coming after the rex command.

Re: Dividing a value by 1000

somesoni2 — Tue, 20 Jun 2017 19:23:47 GMT

Try this

base search| rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)"  
  | eval Total_Disk=tonumber(Total_disk)/1000 
 | table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

Re: Dividing a value by 1000

prathapkcsc — Tue, 20 Jun 2017 19:27:01 GMT

This is also not giving the results. Null values are coming.

Re: Dividing a value by 1000

somesoni2 — Tue, 20 Jun 2017 19:32:40 GMT

How about this?

base search| rex "^\s*(?<server>[^,]+),\s*(?<NODE>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<CPU>[^,]+),\s*(?<Total_Disk>[^,]+),\s*(?<Used_Disk>[^,]+),\s*(?<Total_Memory>[^,]+),\s*(?<Used_Memory>\S+)"  
   | eval Total_Disk=tonumber(Total_Disk)/1000 
  | table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

Re: Dividing a value by 1000

prathapkcsc — Tue, 20 Jun 2017 19:38:00 GMT

Perfect !
Can you explain that ?

Re: Dividing a value by 1000

somesoni2 — Tue, 29 Sep 2020 14:32:44 GMT

I initially started with fixing the regex, but I believe that was not the issue. The issue could be the wrong case used in Total_Disk field name (used Total_disk instead of Total_Disk), in the last query you posted.

Re: Dividing a value by 1000

prathapkcsc — Tue, 20 Jun 2017 19:50:31 GMT

That one i tried, no result came.
You changed the regex by adding \d{4}-\d{2}-\d{2})
I don't understand,what it does?

Re: Dividing a value by 1000

somesoni2 — Tue, 20 Jun 2017 20:19:18 GMT

\d is for digits. I basically explicitly provided format of date and time fields. I kike to be specific where I can.