Splunk Search

How to create a new field out of some evaluated data?

moizmmz
Path Finder

Hello,

So here's my Query:

index=video-eng-live | rename message.timestamp as time | eval time=strftime(time/1000, "%m-%d-%Y %H:%M:%S") | dedup message.concurrent_sessions, time | stats sum(message.concurrent_sessions) as "Concurrent Sessions" by message.account | addcoltotals labelfield=message.account label="Total"

After I calculate the 'sum(message.concurrent_sessions)' I want to make a new field called 'Concurrent Sessions' out of it. How could I do that? I suppose it would have to be a combination of stats and eval but I just can't seem to get it right. Please help!

Tags (1)
0 Karma
1 Solution

vinod94
Contributor

Hi dyude @moizmmz ,

Could you please explain more a bit about it so that we can have a clear picture or can you share some sample logs?

I think you are looking for something like this...

Your search | stats count(eval( Your Condtion )) as test by message.account

View solution in original post

cvssravan
Path Finder

@moizmmz
try this: I think for this scenario you may have to use eventstats. It will calculate the sum of concurrent sessions by account into a new field as you require. Hope it helps

index=video-eng-live | rename message.timestamp as time | eval time=strftime(time/1000, "%m-%d-%Y %H:%M:%S") | dedup message.concurrent_sessions, time | eventstats sum(message.concurrent_sessions) as "Concurrent Sessions" by message.account | addcoltotals labelfield=message.account label="Total"

moizmmz
Path Finder

Perfect! Thank you!

0 Karma

vinod94
Contributor

Hi dyude @moizmmz ,

Could you please explain more a bit about it so that we can have a clear picture or can you share some sample logs?

I think you are looking for something like this...

Your search | stats count(eval( Your Condtion )) as test by message.account

moizmmz
Path Finder

Sure, so the field: message.concurrent_sessions has different values in it which tell us the number of concurrent sessions. An image of which is below:
https://drive.google.com/open?id=1L-6q9Mlg5yrrZCWlc2xF8J0R523lqyro

As shown in the query, I'm doing stats sum(message.concurrent_sessions) and renaming the resulting tabular column as "Concurrent Sessions". But instead of just a tabular column, I want a whole new field which has the resulting values (that Concurrent Sessions has) in it.

I know it's stats sum(eval(condition)), but no matter what I try, Splunk says it's an error. Need to frame it right.

Here's the raw text of one log:
{"message": {"account": "fox_nation", "title": "Fox News Talk Radio | Public", "timestamp": 1549440027975, "channelID": "f12a9d64997042498dbb8cbe1560355d", "missing_content_slate": 2, "concurrent_sessions": 2}}

0 Karma

vinod94
Contributor

@moizmmz ,

Try this ,

index=video-eng-live | rename message.timestamp as time | eval time=strftime(time/1000, "%m-%d-%Y %H:%M:%S") | dedup message.concurrent_sessions, time | eventstats sum(message.concurrent_sessions) as "New Concurrent Sessions" by message.account |

and check the fields .. der should be a "New Concurrent Sessions" field

Let me know if it works!

0 Karma

moizmmz
Path Finder

Perfect!! Thank you!!!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...