topic Re: evaluate mathematical expression in string in Splunk Search

evaluate mathematical expression in string

knielsen — Fri, 25 May 2018 09:33:49 GMT

Hi,

Is there a fast way of evaluating the result a string like "42 + 23" as a new field?

Background: a log file that contains answer time and a list of lengths. I want to calculate the p98(answer time) by summed lengths of events. Right now I'm doing the eval id=_cd+splunk_server | makemv delim="," rl_list | eventstats sum(rl_list) as total_rl by id trick, but I'm wondering if there is a better solution to get a sum of list elements per event.

Thanks,
Kai.

Re: evaluate mathematical expression in string

niketn — Fri, 25 May 2018 10:41:56 GMT

@knielsen, your query, data and question seem to be confusing. Can you add more details? Whatis the field name of string that has data like "42+23"? Based on what you have asked in your question if you just want the sum of a string expression, you would need to create a return like below

| makeresults 
| eval result= 
    [| makeresults 
    | eval data="43+23" 
    | return $data ]

Re: evaluate mathematical expression in string

knielsen — Fri, 25 May 2018 11:00:38 GMT

Hmm, I can't make your result work in a real search. I don't have the value data in inner search right?

Ok, sometimes I speak gibberish. Back: my events have a string field, let's keep it short, "rl". This contains either one integer or a list of comma separated integers. I want to calculate the total of that list for each event and keep other fields of the event as well.

Since I can convert the comma separated "1,2,3,4,5..." with rex or replace into "1+2+3+4+5+6...." I was wondering if there is a simple way to feed that string into a function to get the total.

Re: evaluate mathematical expression in string

knielsen — Fri, 25 May 2018 11:48:37 GMT

Hmm, I just played with

base search | makemv delim="," rl | stats sum(rl) as total values(answertime) as answertime values(whateverIwanttokeep) as whatever by _raw | fields - _raw

That might be faster than my eventstats approach.

A simple function to evaluate a string with math in it does not seem to exist. 🙂

Re: evaluate mathematical expression in string

niketn — Fri, 25 May 2018 11:54:32 GMT

If you do not want all fields , but only specific one after stats, stats(transforming) would be better than eventstats(streaming) command. You should covert your own answer and accept the same.

You could have used map function in my example to evaluate expression for each field passed on through map command but it would be too expensive and may hit limit as well.

Also as far as a command/function not existing at present, you can definitely code Custom Commands using Python if you have the expertise.