Hello,
I am attempting to raise a group of fields to the power of 2 but Splunk is not returning any results. Below is my search terms
Here is an actual log sample and the full search syntax. Neither of the suggested solutions worked.
Log:
2017-03-20 07:14:24,809 [ INFO] {AWT-EventQueue-0} trcs.patient_id=
2017-03-20 07:14:25,296 [ INFO] {EMRC Controller Event Queue} beam 1 is selected.
2017-03-20 07:29:30,708 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:6.683775778257897mm,Y:-4.458019220244911mm,Z:9.54765mm,Rotation:359.3072792875074deg,Pitch:0.03151268032095971deg,Roll:0.0deg).
2017-03-20 07:29:32,016 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:30:16,688 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.11733mm,Y:-1.79059mm,Z:0.12328mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:30:17,963 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:30:53,554 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:31:05,568 [ INFO] {EMRC Controller Event Queue} beam 2 is selected.
2017-03-20 07:37:31,951 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:-0.04683mm,Y:0.78357mm,Z:-2.1995mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:37:34,271 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:38:05,340 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:38:53,284 [ INFO] {AWT-EventQueue-0} trcs.tsm_state=Irradiation
2017-03-20 07:40:50,099 [ INFO] {Application Queue} BeamResult received. Status : NORMAL Dose : 299.52671427910855
2017-03-20 07:40:59,430 [ INFO] {EMRC Controller Event Queue} beam 3 is selected.
2017-03-20 07:42:49,390 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:-0.05384mm,Y:-1.2406mm,Z:-5.11836mm,Rotation:-0.0deg,Pitch:-0.0deg,Roll:-0.0deg).
2017-03-20 07:42:51,015 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:43:22,978 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:-0.0deg,Roll:-0.0deg).
2017-03-20 07:44:17,183 [ INFO] {AWT-EventQueue-0} trcs.tsm_state=Irradiation
2017-03-20 07:45:41,170 [ INFO] {Application Queue} BeamResult received. Status : NORMAL Dose : 292.9592996822634
2017-03-20 07:45:57,948 [ INFO] {EMRC Controller Event Queue} session is closed.
Search:
index=logs source=*treat* OR source=*pms* date_hour<=16 date_hour>=7 AND "trcs.patient_id" OR "session is closed" OR "is selected" OR "PPVS Controller Activity ALIGN: valid SROB: PpsPosition("
OR "trcs.tsm_state=Irradiation" OR "BeamResult Received" OR "pms.correction_applied"|
rex field=description "(X:(?<x>-?\d+.\d+\D?-?\d?\d?)mm,Y:(?<y>-?\d+.\d+\D?-?\d?\d?)mm,Z:(?<z>-?\d+.\d+\D?-?\d?\d?)mm,Rotation:(?<rot>-?\d+.\d+\D?-?\d?\d?)deg,Pitch:(?<pitch>-?\d+.\d+\D?-?\d?\d?)deg,Roll:(?<roll>-?\d+.\d+\D?-?\d?\d?)deg)" |
eval x=round(x,1) |
eval y=round(y,1) |
eval z=round(z,1) |
eval rot=round(rot,1) |
eval pitch=round(pitch,1) |
eval roll=round(roll,1) |
sort 0 _time|
eval bn=beam_number|
eval bn=if(searchmatch("session is closed"), tonumber("0"), bn)|
streamstats last(bn) as "beam"|
eval CVCoord=if(searchmatch("SROB"),mvappend(beam,x,y,z,rot,pitch,roll),null())|
eval CVCoord=mvjoin(CVCoord,", ")|
sort 0 -_time|
transaction startswith="patient_id" endswith="is closed" maxspan=2h by host|
search trcs_patient_id!="A141070" trcs_patient_id!="A142388" trcs_patient_id!="A160539" trcs_patient_id!="A170316" trcs_patient_id!="A153361" trcs_patient_id!="A161805" trcs_patient_id!="A161809" "Irradiation" "BeamResult Received" "pms.correction_applied"|
sort _time|
mvexpand CVCoord|
rex field=CVCoord "(?<BEAM>\d),(?<X>.+),(?<Y>.+),(?<Z>.+),(?<ROT>.+),(?<PITCH>.+),(?<ROLL>.+)" |
search BEAM!=0|
eval part=if(BEAM=1, "Setup", "Treatment")|
eval X2=pow(X,2)|
eval Y2=pow(Y,2)|
eval Z2=pow(Z,2)|
eval Norm2=X2+Y2+Z2|
eval Norm=round(sqrt(Norm2))|
chart count over Norm by part
The chart doesn't return any results for because Norm doesnt contain any values from X2, Y2, or Z2 and thus doesn't return any results. I have confirmed that values exist for X, Y, and Z from my rex command but they aren't being raised to the power of 2 and instead Splunk is just returning blank values to the fields X2, Y2, and Z2. Can anyone help?
I tried in my local it is working with below search query:
|stats c|eval a="2"|eval b=3|table a,b|eval ab=pow(a,2)|eval cd=pow(b,2)|eval norm=ab+cd|eval norm2=round((sqrt(norm)))
Note: if your extracted values for x,y,z are strings it will show as a blank
I downvoted this post because it didnt work
If somesoni2's or woodcock's answers don;t work for you, then please post the exact _raw layout of a couple of events. Remember to hit the "code" button so that no spaces will be lost of formatting will be changed.
Try this:
... | rex field=CVCoord "(?<BEAM>\d)\s*,\s*(?<X>\d+)\s*,\s*(?<Y>\d+)\s*,\s*(?<Z>\d+),(?<ROT>.+),(?<PITCH>.+),(?<ROLL>.+)"
| eval X2=pow(X,2)
| eval Y2=pow(Y,2)
| eval Z2=pow(Z,2)
| eval Norm2=X2+Y2+Z2
| eval Norm=round(sqrt(Norm2))
| table X2 Y2 Z2
This change to rex didnt return any values for X, Y, or Z.
The problem is surely that X
, Y
, and/or Z
either do not exist (field extraction failed) or are not numbers. You are going to have to debug backwards and fix that.
See if eval expression like below gives you results.
eval X2=pow(tonumber(X),2)