Knowledge Management

Is there a way to extract single count values from sistats summary data?

Explorer

At the end of a long search that goes into a summary index we capture counts of events by site using sistats:

| sistats dc(site) by partner trackingid date _time

This results in a field in the summary like:

psrsvd_vm_site="106;3;109;4;113;6;120;3;123;3;"

which has pairs of site_id value and event counts for that site. We usually use dc() to get a count of sites per day for a given item and just get the total of the counts, but we have a need to get back out the count corresponding to a specific site.

We can get the list of sites with this:

| stats values(site) as sites count as totalcount by trackingid date partner

But I can't figure out how to get the individual counts out matched up to the corresponding site. Is there a way to tell that site 113 had 6 events? And we need it for all sites so we could eventually do an mvexpand or similar (so it can't be finding an index to a specific value).

Unfortunately since sistats delimits both the data point and the set with semi-colon most of the built in functions don't seem to help. I've been looking for something like an unzip (an inverse of mvzip?) or slice operation on a string or multivalue field to get pairs of values or every other one.

Thanks

Tags (2)
0 Karma

Explorer

Okay, Think I figured out a way forward. I'm using rex to parse out every other item directly from the sistats generated field:

| eval parsed_sites=psrsvd_vm_site | rex field=parsed_sites mode=sed "s/(\d+);\d+;?/\1;/g"
| eval parsed_counts=psrsvd_vm_site | rex field=parsed_counts mode=sed "s/\d+;(\d+);?/\1;/g"

This gives me two fields holding each type of value in order. Now I should be able to manipulate those lists to get what I want. Probably by converting them to multivalued fields, getting the index of a site and looking up the count by index, etc.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!