How to associate a value generated by a host with ...

ohlafl · ‎08-03-2015

This is an overview of how my system produces a certain value:

Usually each area has a set of hosts, but there are also a few hosts that do not. In this case, one host that is not part of an area is generating a value that I need to associate with an area.

The name of the area can be found in the name of the source generated by the host such as source=/log/areaName/rest_of_path. Would it be possible to create an association using just SPL or must the flow be top down like area -- host -- value? How should I structure my search logic?

The purpose of this is to be able to list the Value by Area so that each Area will have one Value.

woodcock · ‎08-03-2015

If I understand you correctly, you need thecoalesce command and can use it like this:

... | rex field=source "/[^/]+/(?<areaName>)[^/]+/" | eval areaName=coalesce(areaName, host) | stats values(Value) by areaName

Or, since every event will have a source so the rex command will have false positives for the "null" case above, maybe you need the if command like this:

... | rex field=source "/[^/]+/(?<areaName>)[^/]+/" | eval areaName=if(myTestHere(areaName), areaName, host) | stats values(Value) by areaName

ohlafl · ‎08-03-2015

This would seem about right, yes, I do however get an error with the rex:

Error in 'rex' command: Encountered the following error while compiling the regex '/[^/]+/(?<areaName)[^/]+/': Regex: syntax error in subpattern name (missing terminator)

I am not very familiar with regex, excuse my noobishness.

woodcock · ‎08-03-2015

Sorry, I had a typo in my RegEx but I fixed it. Try it again.

How to associate a value generated by a host with a field/event outside of the source?

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...