Splunk Enterprise

How to multiply if condition satisfies in splunk query

kirrusk
Communicator

 

Hi All,Is this possible in splunk

 i have data like below 

field1           field2      

1500m        20GB   

2000m        21GB

45                  500mb

1440m         250mb

12                  15GB

 

in the field1,   if any digit is not ending with "m" then should multiply by 1000.

in field2,   if any digit is not ending with  'GB' then divided by 1024 

for example, the result should be like this.

 

field1             field2      

1500 m         20GB   

2000 m         21GB

45000 m      0.48GB

1440 m         0.24GB

12000 m       15GB

 

 

 

 

 

Labels (3)
0 Karma
1 Solution

javiergn
Super Champion

Hi @kirrusk ,

See if the following does the trick (ignore the first 4 lines which I used to replicate your example):

| makeresults
| eval fields = split("1500m,20GB|2000m,21GB|45,500mb|1440m,250mb|12,15GB", "|")
| mvexpand fields
| rex field=fields "(?<field1>[^\,]+)\,(?<field2>.+?)$" | fields - _time, fields
| rex field=field1 "(?<field1_num>\d+)(?<field1_unit>\D*)$"
| rex field=field2 "(?<field2_num>\d+)(?<field2_unit>\D*)$"
| eval 
    field1_num = if(NOT match(field1_unit, "m$") OR isNull(field1_unit), field1_num*1000, field1_num),
    field2_num = if(NOT match(field2_unit, "GB$") OR isNull(field2_unit), round(field2_num/1024,2), field2_num),
    field1_unit = "m",
    field2_unit = "GB"
| eval 
    field1 = field1_num.field1_unit,
    field2 = field2_num.field2_unit
| table field1, field2

 

And the screenshot from my lab:

 

Screenshot 2021-05-24 at 11.48.17.png

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults 
| eval _raw="field1,field2
1500m,20mb
2000m,1mb
45,500mb
1440m,2500mb
12,15GB"
| multikv forceheader=1
| fields - _* linecount 
| rex field=field1 mode=sed "s/(?<d>\d+)$/\1km/g s/km/000m/g"
| rex field=field2 mode=sed "s/(?<d>^\d)mb/0\1mb/g s/(?<d>^\d\d)mb/0\1mb/g s/(?<d>\d{3})mb/.\1GB/g s/^\./0./g"
0 Karma

javiergn
Super Champion

Hi @kirrusk ,

See if the following does the trick (ignore the first 4 lines which I used to replicate your example):

| makeresults
| eval fields = split("1500m,20GB|2000m,21GB|45,500mb|1440m,250mb|12,15GB", "|")
| mvexpand fields
| rex field=fields "(?<field1>[^\,]+)\,(?<field2>.+?)$" | fields - _time, fields
| rex field=field1 "(?<field1_num>\d+)(?<field1_unit>\D*)$"
| rex field=field2 "(?<field2_num>\d+)(?<field2_unit>\D*)$"
| eval 
    field1_num = if(NOT match(field1_unit, "m$") OR isNull(field1_unit), field1_num*1000, field1_num),
    field2_num = if(NOT match(field2_unit, "GB$") OR isNull(field2_unit), round(field2_num/1024,2), field2_num),
    field1_unit = "m",
    field2_unit = "GB"
| eval 
    field1 = field1_num.field1_unit,
    field2 = field2_num.field2_unit
| table field1, field2

 

And the screenshot from my lab:

 

Screenshot 2021-05-24 at 11.48.17.png

Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...