topic Performing basic calculations, eval statement and wildcard in Splunk Search

Performing basic calculations, eval statement and wildcard

bcatwork — Mon, 28 Sep 2020 20:05:41 GMT

I need some assistance in calculating latency values. I have many hosts, logging transformation latency in different ways. Some of these events contain a field called transformation_latency (host=barfoo1, host=barfoo2), the others contain total_latency and backend_latency (host=foobar01, host=foobar02, foobar03))

The logic works as follows: If host=foobar*, transformation_latency=(total_latency - backend_latency)

my stats function looks like |stats avg(transformation_latency)

I have found using eval statements, I cannot use a wildcard. I am seeking a way to perform this calculation and assign a transformation_latency if one is not present in the event.

I have tried <pre>eval field=if(isnull(field),elsefield,field) </pre>
But, as we continue to add hosts, logs will differ and I must more implicitly state that this specific calculation applies to hosts like %foobar0% only

Thanks!

Re: Performing basic calculations, eval statement and wildcard

bcatwork — Tue, 29 Sep 2020 07:54:09 GMT

I have checked the examples. This seems like it will help. How can I explicitly state the host value using a wildcard rather than just a wildcard field?

This does not work,
foreach host=foobar* [eval transformation_latency=total_latency-backend]

I have already initialized all variables by the time of the foreach statement. I need to perform this calculation dependent on host value.

Thank your for your time and prompt assistance!

Re: Performing basic calculations, eval statement and wildcard

jacobwilkins — Thu, 28 May 2015 20:50:48 GMT

This is not a foreach usecase.

This is actually much simpler. Before your stats command, do this:

| eval transformation_latency=coalesce(transformation_latency, total_latency-backend)

The name of the host doesn't matter. The presence or absence your transformation_latency field is all that matters. If it is there, use it. If it isn't, calculate it.

Re: Performing basic calculations, eval statement and wildcard

bcatwork — Mon, 28 Sep 2020 20:06:18 GMT

So this works for my current state. However, I will need to perform a different calculation based on host parameters in the near future that will not handle a null value for transformation_latency the same way as above.

To be more specific, I calculate backend_latency using the addtotal commands for iterative backend calls, but I will need the max backend_latency* for parallel calls. Ive found I need to use the coalesce function prior to the addtotal command to have null values handled properly. So how can I state, use (total_latency-backend_latency) if host=xyz, use
(total_latency-max_backend_latency)) if host=abc. Any suggestions? Thanks!

Re: Performing basic calculations, eval statement and wildcard

jacobwilkins — Fri, 29 May 2015 18:14:17 GMT

Well, once again, is max_backend_latency null in cases where you need to use backend_latency? If so, same trick. For clarity, we'll converge them to a 3rd field.

 | eval my_backend_latency=coalesce(max_backend_latency,backend_latency)
 | eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)

If you really have your heart set on doing conditionals based on host, which I'm steering you away from because that kind of procedural-think usually leads to unnecessary complexity, I'll show you how.

| eval my_backend_latency=case(searchmatch(host=xyz*) , backend_latency, searchmatch(host=abc*), max_backend_latency)
| eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)

You could also use if instead of case if you only had 2 conditions. You could also use match instead of searchmatch if you like regex better.

You should study this: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions