Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Generate a dynamic multi-value field based on a sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generate a dynamic multi-value field based on a specific field in a search
Hi there,
I'm fairly new to Splunk searches.
I have a search in a log : index=tutti sourcetype=toto status!=4
Where I have 4 fields of interest namely : BeginTime (in epoch format), EndTime (in epoch format), LogTime (in epoch format) and Attempts.
I want a search that would generate a dynamic multi-value field ("|" separated), let's call it LogTimes, based on the following logic :
If Attempts =1 then LogTimes = LogTime
elsif Attempts =2 then LogTimes = BeginTime|EndTime
elsif Attempts =3 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/2|EndTime
elsif Attempts = 4 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/3|BeginTime+2*(EndTime-BeginTime)/3|EndTime
Then it should count every timestamp occurrence (every single value in LogTimes) at the end.
elsif Attempts = n then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/(n-1)|BeginTime+2*(EndTime-BeginTime)/(n-1)|..............|BeginTime+(n-2)*(EndTime-BeginTime)/(n-1)|EndTime
Can someone help me, please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically if I have an event like the following :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime
aH345kli,0,3,1560861000,1560864000,1560863000
I should end up with something like :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime,LogTimes
aH345kli,0,3,1560861000,1560864000,1560863000,1560861000|1560862500|1560864000
If it's like :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime
aH345kli,0,1,1560861000,1560864000,1560863000
It should be :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime,LogTimes
aH345kli,0,1,1560861000,1560864000,1560863000,1560863000
and so on.
And then return the corresponding total count of each timestamp in LogTimes (on all event) in a span of 1 min.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we have some sample data and corresponding output? Is the Attempts a field with literal numerical value of 1,2,3,4....?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @somesoni2, yes it's a field with strict numerical values 1,2, 3, 4...
a data sample would look like :
Transaction_ID, status, Attempts, BeginTime, EndTime, LogTime
aH345kli, 0, 5, 1560861000, 1560864000, 1560863000
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
