Solved: Re: Dividing a value by 1000

prathapkcsc · ‎06-20-2017

My search looks like this
base search | rex ".?(?[^,]+),\s?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+)"

| eval Total_Disk=Total_Disk/1000
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

Here, I am dividing the Total_Disk by 1000. But, in table statistics Total_Disk not printing any values.
How to get the data according to my requirement.
Thank You

somesoni2 · ‎06-20-2017

How about this?

base search| rex "^\s*(?<server>[^,]+),\s*(?<NODE>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<CPU>[^,]+),\s*(?<Total_Disk>[^,]+),\s*(?<Used_Disk>[^,]+),\s*(?<Total_Memory>[^,]+),\s*(?<Used_Memory>\S+)"  
   | eval Total_Disk=tonumber(Total_Disk)/1000 
  | table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

View solution in original post

somesoni2 · ‎06-20-2017

How about this?

base search| rex "^\s*(?<server>[^,]+),\s*(?<NODE>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<CPU>[^,]+),\s*(?<Total_Disk>[^,]+),\s*(?<Used_Disk>[^,]+),\s*(?<Total_Memory>[^,]+),\s*(?<Used_Memory>\S+)"  
   | eval Total_Disk=tonumber(Total_Disk)/1000 
  | table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

prathapkcsc · ‎06-20-2017

Perfect !
Can you explain that ?

somesoni2 · ‎06-20-2017

I initially started with fixing the regex, but I believe that was not the issue. The issue could be the wrong case used in Total_Disk field name (used Total_disk instead of Total_Disk), in the last query you posted.

prathapkcsc · ‎06-20-2017

That one i tried, no result came.
You changed the regex by adding \d{4}-\d{2}-\d{2})
I don't understand,what it does?

somesoni2 · ‎06-20-2017

\d is for digits. I basically explicitly provided format of date and time fields. I kike to be specific where I can.

somesoni2 · ‎06-20-2017

My guess is field Total_Disk is not extracted (value is null). So try running this to confirm if the value is extracted or not. If not (field Total_Disk is null/blank), paste your sample event and query again (and make sure you select the query and click on Ctrl+K or "101010" button to apply code formatting).

base search | rex ".?(?[^,]+),\s?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+),\s*?(?[^,]+)" 
| eval Total_Disk1=Total_Disk/1000
| table _time server NODE Count CPU Total_Disk Total_Disk1 Used_Disk Total_Memory Used_Memory

prathapkcsc · ‎06-20-2017

base search| rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)"  
 | eval Total_Disk=Total_disk/1000 
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

This is my search

somesoni2 · ‎06-20-2017

Try this

base search| rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)"  
  | eval Total_Disk=tonumber(Total_disk)/1000 
 | table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

prathapkcsc · ‎06-20-2017

This is also not giving the results. Null values are coming.

cmerriman · ‎06-20-2017

is Total_Disk a field with values coming back before your rex command? after your rex command? what does the data look like before your eval statement?

prathapkcsc · ‎06-20-2017

Total_Disk value coming after the rex command.

niketn · ‎06-20-2017

@prathapkcsc, Please re-post your search query with code button (101010) so that special characters do not get escaped. Would it be possible for you to add some sample events as well?

If possible use Splunk Interactive Field Extraction(IFX) instead of rex to make sure that field is getting extracted as you expect. You can also test your regular expression through IFX regex101.com. (https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

prathapkcsc · ‎06-20-2017

DataNode,Hadoop,2017-06-17,23:05,26, 0.18, 1149876, 7231, 251, 70.8462
Flume,Hadoop,2017-06-17,23:05,9, 0.23, 108345, 114, 125, 17.6667
ResourceManager,Hadoop,2017-06-17,23:05,2, 0.11, 22146,320, 125, 9
ZooKeeper,Hadoop,2017-06-17,23:05,5, 0.2, 63747, 977, 125, 10
Foyer,Hadoop,2017-06-17,23:05,2, 0.14, 22146,320, 125, 10.5
Splunk,Hadoop,2017-06-17,23:05,1, 0.06, 40959, 106, 251, 3

This is my sample data

prathapkcsc · ‎06-20-2017

base search 
 |  rex ".*?(?<server>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<date>[^,]+),\s*?(?<time>[^,]+),\s*?(?<Count>[^,]+),\s*?(?<CPU>[^,]+),\s*?(?<Total_Disk>[^,]+),\s*?(?<Used_Disk>[^,]+),\s*?(?<Total_Memory>[^,]+),\s*?(?<Used_Memory>[^,]+)" 

  | eval Total_Disk=Total_Disk/1000 
| table _time server NODE Count CPU Total_Disk Used_Disk Total_Memory Used_Memory

Dividing a value by 1000

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!