How do you extract and aggregate on field names in...

bcatwork · ‎10-04-2018

I am working with a log format that contains some upstream and downstream request details, containing a URI and a variable number of other fields. The ones i am interested are all prefixed by the word 'backend_' with a latency value assigned.

I am looking to extract the dependencies to know that a single URIs in turn calls 1:n different named backends. I need the field names and not the values.

take 2 sample events like:

requestID=123 URI=/foo/ backend_x=10 backend_y=15 backend_z=20

requestID=124  URI=/foo/bar backend_z=10 backend_a=100

For each of these events, how can i list all backend field names that appear?

If i use this, it seems to grab only the first backend name found:

   foreach backend* [eval backend = "<<FIELD>>"]

If i use this, it seems to associate every found backend name to each event, not only the one(s) specific to that event.

foreach backend* [eval backend_<<MATCHSTR>> = "<<FIELD>>"]

Ultimately, I am after a table that would list request counts, backends used, by each URI.

I have found that I can use a regular expression to match each field and extract the name, but is there any additional way to use the existing field names and avoid the regex?

rex field=_raw max_match=100 "backend_(?<backend>[^\s=]+)"

Thanks for any insights you can offer!

renjith_nair · ‎10-05-2018

@bcatwork ,

Try this

your search |foreach backend* [eval backends=if(isnull(backends),"<<FIELD>>",backends."#"."<<FIELD>>")]
|table backends|makemv backends delim="#"|mvexpand

Happy Splunking!

kmorris_splunk · ‎10-05-2018

I'm not sure if this is helpful, but have you tried this:

... | fields backend_*

OR

... | fieldsummary | fields backend_*

How do you extract and aggregate on field names instead of values?

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!