Splunk Search

How to edit my search to raise a group of fields to the power of 2?

epresson
New Member

Hello,

I am attempting to raise a group of fields to the power of 2 but Splunk is not returning any results. Below is my search terms

Here is an actual log sample and the full search syntax. Neither of the suggested solutions worked.

Log:

2017-03-20 07:14:24,809 [ INFO] {AWT-EventQueue-0} trcs.patient_id=
2017-03-20 07:14:25,296 [ INFO] {EMRC Controller Event Queue} beam 1 is selected.
2017-03-20 07:29:30,708 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:6.683775778257897mm,Y:-4.458019220244911mm,Z:9.54765mm,Rotation:359.3072792875074deg,Pitch:0.03151268032095971deg,Roll:0.0deg).
2017-03-20 07:29:32,016 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:30:16,688 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.11733mm,Y:-1.79059mm,Z:0.12328mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:30:17,963 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:30:53,554 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:31:05,568 [ INFO] {EMRC Controller Event Queue} beam 2 is selected.
2017-03-20 07:37:31,951 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:-0.04683mm,Y:0.78357mm,Z:-2.1995mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:37:34,271 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:38:05,340 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:38:53,284 [ INFO] {AWT-EventQueue-0} trcs.tsm_state=Irradiation
2017-03-20 07:40:50,099 [ INFO] {Application Queue} BeamResult received. Status : NORMAL  Dose : 299.52671427910855
2017-03-20 07:40:59,430 [ INFO] {EMRC Controller Event Queue} beam 3 is selected.
2017-03-20 07:42:49,390 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:-0.05384mm,Y:-1.2406mm,Z:-5.11836mm,Rotation:-0.0deg,Pitch:-0.0deg,Roll:-0.0deg).
2017-03-20 07:42:51,015 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:43:22,978 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:-0.0deg,Roll:-0.0deg).
2017-03-20 07:44:17,183 [ INFO] {AWT-EventQueue-0} trcs.tsm_state=Irradiation
2017-03-20 07:45:41,170 [ INFO] {Application Queue} BeamResult received. Status : NORMAL  Dose : 292.9592996822634
2017-03-20 07:45:57,948 [ INFO] {EMRC Controller Event Queue} session is closed.

Search:

 index=logs source=*treat* OR source=*pms* date_hour<=16 date_hour>=7 AND "trcs.patient_id" OR "session is closed" OR "is selected" OR "PPVS Controller Activity ALIGN: valid SROB: PpsPosition(" 
    OR "trcs.tsm_state=Irradiation" OR "BeamResult Received" OR "pms.correction_applied"|
    rex field=description "(X:(?<x>-?\d+.\d+\D?-?\d?\d?)mm,Y:(?<y>-?\d+.\d+\D?-?\d?\d?)mm,Z:(?<z>-?\d+.\d+\D?-?\d?\d?)mm,Rotation:(?<rot>-?\d+.\d+\D?-?\d?\d?)deg,Pitch:(?<pitch>-?\d+.\d+\D?-?\d?\d?)deg,Roll:(?<roll>-?\d+.\d+\D?-?\d?\d?)deg)" |  
    eval x=round(x,1) | 
    eval y=round(y,1) | 
    eval z=round(z,1) | 
    eval rot=round(rot,1) | 
    eval pitch=round(pitch,1) | 
    eval roll=round(roll,1) |
    sort 0 _time|
    eval bn=beam_number|
    eval bn=if(searchmatch("session is closed"), tonumber("0"), bn)|
    streamstats last(bn) as "beam"|
    eval CVCoord=if(searchmatch("SROB"),mvappend(beam,x,y,z,rot,pitch,roll),null())|
    eval CVCoord=mvjoin(CVCoord,", ")|
    sort 0 -_time|
    transaction startswith="patient_id" endswith="is closed" maxspan=2h by host|
    search trcs_patient_id!="A141070" trcs_patient_id!="A142388" trcs_patient_id!="A160539" trcs_patient_id!="A170316" trcs_patient_id!="A153361" trcs_patient_id!="A161805" trcs_patient_id!="A161809" "Irradiation" "BeamResult Received" "pms.correction_applied"|
    sort _time|
    mvexpand CVCoord|
    rex field=CVCoord "(?<BEAM>\d),(?<X>.+),(?<Y>.+),(?<Z>.+),(?<ROT>.+),(?<PITCH>.+),(?<ROLL>.+)" |
    search BEAM!=0|
    eval part=if(BEAM=1, "Setup", "Treatment")|
    eval X2=pow(X,2)|
    eval Y2=pow(Y,2)|
    eval Z2=pow(Z,2)|
    eval Norm2=X2+Y2+Z2|
    eval Norm=round(sqrt(Norm2))|
    chart count over Norm by part

The chart doesn't return any results for because Norm doesnt contain any values from X2, Y2, or Z2 and thus doesn't return any results. I have confirmed that values exist for X, Y, and Z from my rex command but they aren't being raised to the power of 2 and instead Splunk is just returning blank values to the fields X2, Y2, and Z2. Can anyone help?

0 Karma

mpreddy
Communicator

I tried in my local it is working with below search query:

|stats c|eval a="2"|eval b=3|table a,b|eval ab=pow(a,2)|eval cd=pow(b,2)|eval norm=ab+cd|eval norm2=round((sqrt(norm)))

Note: if your extracted values for x,y,z are strings it will show as a blank

0 Karma

epresson
New Member

I downvoted this post because it didnt work

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If somesoni2's or woodcock's answers don;t work for you, then please post the exact _raw layout of a couple of events. Remember to hit the "code" button so that no spaces will be lost of formatting will be changed.

0 Karma

woodcock
Esteemed Legend

Try this:

... | rex field=CVCoord "(?<BEAM>\d)\s*,\s*(?<X>\d+)\s*,\s*(?<Y>\d+)\s*,\s*(?<Z>\d+),(?<ROT>.+),(?<PITCH>.+),(?<ROLL>.+)"
| eval X2=pow(X,2)
| eval Y2=pow(Y,2)
| eval Z2=pow(Z,2)
| eval Norm2=X2+Y2+Z2
| eval Norm=round(sqrt(Norm2))
| table X2 Y2 Z2
0 Karma

epresson
New Member

This change to rex didnt return any values for X, Y, or Z.

0 Karma

woodcock
Esteemed Legend

The problem is surely that X, Y, and/or Z either do not exist (field extraction failed) or are not numbers. You are going to have to debug backwards and fix that.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See if eval expression like below gives you results.

eval X2=pow(tonumber(X),2)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...