https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188778#M54393 <P>Sorry, I was basing my (incorrect) comment on the following quote from <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Abouteventtypes">http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Abouteventtypes</A> - </P> <P>"...you can save any search as an event type."</P> <P>Sometimes the doc contradicts itself, apparently. Sorry about the wild goose chase.</P> Wed, 20 Aug 2014 16:47:36 GMT aweitzman 2014-08-20T16:47:36Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188774#M54389 <P>I was trying to create a tag/eventtype/equivilent for a message length checksum in our logfiles and it seems eventtypes cannot have subsearches.</P> <P>Log Entry: <CODE>20140815143255713732 R 0004 ,OK)</CODE></P> <P>Fields: <CODE>time, rw_mode, message_length, message</CODE></P> <P>Each log entry writes out the number of bytes expected followed by the message received, and I was trying to tag to make sure that these two numbers match.</P> <P>Search: <CODE>sourcetype=mip | eval msglength=len(message) | search msglength!=message_length</CODE></P> <P><STRONG>Edit</STRONG></P> <P>What I am trying to find out I guess is if there is something (field, tag, eventtype, configuration, don't care) which allows me to just calculate these values on indexing and store what I am guessing would be a "calculated field". This use case aside it would be nice to be able to do a validation test on log entries and flag the broken ones.</P> Wed, 20 Aug 2014 15:39:32 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188774#M54389 agoebel 2014-08-20T15:39:32Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188775#M54390 <P>All tagging and event type calculation happens at search time. You should be able to take any search and turn it into an event type.</P> <P>Does the search you posted work from the search bar? I would have guessed that you'd need to use <CODE>where</CODE> instead of <CODE>search</CODE> in the third clause to get the results you want.</P> Wed, 20 Aug 2014 16:33:53 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188775#M54390 aweitzman 2014-08-20T16:33:53Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188776#M54391 <P>It does work in the search bar, when I go to save it as an eventtype I get an error though. I will try out where</P> Wed, 20 Aug 2014 16:35:41 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188776#M54391 agoebel 2014-08-20T16:35:41Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188777#M54392 <P>That's not going to work as-is because there's a pipe in your search.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Classifyandgroupsimilarevents#Important_event_type_definition_restrictions">http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Classifyandgroupsimilarevents#Important_event_type_definition_restrictions</A></P> <P>However, nothing's stopping you from defining a calculated field <CODE>msglength=len(message)</CODE> and moving the comparison into the base search. Then your whole search has no more pipes and can be stored in an event type.<BR /> Note, this kind of search isn't going to be fast because Splunk has to load the entire event, calculate the length, and then filter.</P> Wed, 20 Aug 2014 16:38:30 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188777#M54392 martin_mueller 2014-08-20T16:38:30Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188778#M54393 <P>Sorry, I was basing my (incorrect) comment on the following quote from <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Abouteventtypes">http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Abouteventtypes</A> - </P> <P>"...you can save any search as an event type."</P> <P>Sometimes the doc contradicts itself, apparently. Sorry about the wild goose chase.</P> Wed, 20 Aug 2014 16:47:36 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188778#M54393 aweitzman 2014-08-20T16:47:36Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188779#M54394 <P>My big concern is that this calculation must be performed per entry per search. Since the message length of a given entry is static, it seems like there should be a way to do a calculation when the event is getting indexed. I have updated the question.</P> Wed, 20 Aug 2014 17:41:24 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188779#M54394 agoebel 2014-08-20T17:41:24Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188780#M54395 <P>No worries, I had actually tried it before I asked the question since I also read that doc. <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Wed, 20 Aug 2014 17:44:55 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188780#M54395 agoebel 2014-08-20T17:44:55Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188781#M54396 <P>It seems that what I am trying to do is exactly why data models exist. Or other ways to calculate fields in props.conf I believe. Still, the question of if there is a way to compute this value once at index time remains open.</P> Wed, 20 Aug 2014 18:34:54 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188781#M54396 agoebel 2014-08-20T18:34:54Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188782#M54397 <P>Even data models are expressed at search time rather than index time, though, which means your larger concern is still an issue. But it may be an easier way of handling what you're trying to do.</P> Wed, 20 Aug 2014 18:53:02 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188782#M54397 aweitzman 2014-08-20T18:53:02Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188783#M54398 <P>At index-time you basically have the expressive power of regexes. That means you cannot do maths or even count, hence you cannot calculate the length of a field and index that value... all you can do is index the field itself. That might make filtering by its length a bit faster, no real-world experience with that though.</P> <P>Are you trying to detect faulty transmissions? If so, going through each event once would be enough... schedule a search for this that triggers some alert if a bad event has occurred, and there's no need to do any index-time calculations at all because you only search once.</P> Wed, 20 Aug 2014 19:15:04 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188783#M54398 martin_mueller 2014-08-20T19:15:04Z https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188784#M54399 <P>I was under the impression that "accelerated" models had some sort of caching? Ah well, question remains open.</P> Wed, 20 Aug 2014 19:32:33 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-computations-in-event-types/m-p/188784#M54399 agoebel 2014-08-20T19:32:33Z