Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generate a dynamic multi-value field based on a specific field in a search

elaoumam
Engager
‎06-17-2019 12:06 PM

Hi there,

I'm fairly new to Splunk searches.
I have a search in a log : index=tutti sourcetype=toto status!=4

Where I have 4 fields of interest namely : BeginTime (in epoch format), EndTime (in epoch format), LogTime (in epoch format) and Attempts.
I want a search that would generate a dynamic multi-value field ("|" separated), let's call it LogTimes, based on the following logic :

If Attempts =1 then LogTimes = LogTime
    elsif Attempts =2 then LogTimes = BeginTime|EndTime
    elsif Attempts =3 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/2|EndTime
    elsif Attempts = 4 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/3|BeginTime+2*(EndTime-BeginTime)/3|EndTime

Then it should count every timestamp occurrence (every single value in LogTimes) at the end.

elsif Attempts = n  then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/(n-1)|BeginTime+2*(EndTime-BeginTime)/(n-1)|..............|BeginTime+(n-2)*(EndTime-BeginTime)/(n-1)|EndTime

Can someone help me, please?

0 Karma
Reply

elaoumam
Engager
‎06-19-2019 09:38 AM

Basically if I have an event like the following :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime
aH345kli,0,3,1560861000,1560864000,1560863000
I should end up with something like :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime,LogTimes
aH345kli,0,3,1560861000,1560864000,1560863000,1560861000|1560862500|1560864000
If it's like :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime
aH345kli,0,1,1560861000,1560864000,1560863000
It should be :
Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime,LogTimes
aH345kli,0,1,1560861000,1560864000,1560863000,1560863000
and so on.
And then return the corresponding total count of each timestamp in LogTimes (on all event) in a span of 1 min.

0 Karma
Reply

somesoni2
Revered Legend
‎06-17-2019 02:07 PM

Can we have some sample data and corresponding output? Is the Attempts a field with literal numerical value of 1,2,3,4....?

0 Karma
Reply

elaoumam
Engager
‎06-18-2019 07:10 AM

Hi @somesoni2, yes it's a field with strict numerical values 1,2, 3, 4...
a data sample would look like :
Transaction_ID, status, Attempts, BeginTime, EndTime, LogTime
aH345kli, 0, 5, 1560861000, 1560864000, 1560863000

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...