Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to raise a group of fields to the power of 2?

epresson
New Member
‎03-30-2017 01:28 PM

Hello,

I am attempting to raise a group of fields to the power of 2 but Splunk is not returning any results. Below is my search terms

Here is an actual log sample and the full search syntax. Neither of the suggested solutions worked.

Log:

2017-03-20 07:14:24,809 [ INFO] {AWT-EventQueue-0} trcs.patient_id=
2017-03-20 07:14:25,296 [ INFO] {EMRC Controller Event Queue} beam 1 is selected.
2017-03-20 07:29:30,708 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:6.683775778257897mm,Y:-4.458019220244911mm,Z:9.54765mm,Rotation:359.3072792875074deg,Pitch:0.03151268032095971deg,Roll:0.0deg).
2017-03-20 07:29:32,016 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:30:16,688 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.11733mm,Y:-1.79059mm,Z:0.12328mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:30:17,963 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:30:53,554 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:31:05,568 [ INFO] {EMRC Controller Event Queue} beam 2 is selected.
2017-03-20 07:37:31,951 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:-0.04683mm,Y:0.78357mm,Z:-2.1995mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:37:34,271 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:38:05,340 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:0.0deg,Roll:-0.0deg).
2017-03-20 07:38:53,284 [ INFO] {AWT-EventQueue-0} trcs.tsm_state=Irradiation
2017-03-20 07:40:50,099 [ INFO] {Application Queue} BeamResult received. Status : NORMAL  Dose : 299.52671427910855
2017-03-20 07:40:59,430 [ INFO] {EMRC Controller Event Queue} beam 3 is selected.
2017-03-20 07:42:49,390 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:-0.05384mm,Y:-1.2406mm,Z:-5.11836mm,Rotation:-0.0deg,Pitch:-0.0deg,Roll:-0.0deg).
2017-03-20 07:42:51,015 [ INFO] {applicationQueue} pms.correction_applied
2017-03-20 07:43:22,978 [ INFO] {applicationQueue} PPVS Controller Activity ALIGN: valid SROB: PpsPosition(X:0.0mm,Y:0.0mm,Z:0.0mm,Rotation:-0.0deg,Pitch:-0.0deg,Roll:-0.0deg).
2017-03-20 07:44:17,183 [ INFO] {AWT-EventQueue-0} trcs.tsm_state=Irradiation
2017-03-20 07:45:41,170 [ INFO] {Application Queue} BeamResult received. Status : NORMAL  Dose : 292.9592996822634
2017-03-20 07:45:57,948 [ INFO] {EMRC Controller Event Queue} session is closed.

Search:

 index=logs source=*treat* OR source=*pms* date_hour<=16 date_hour>=7 AND "trcs.patient_id" OR "session is closed" OR "is selected" OR "PPVS Controller Activity ALIGN: valid SROB: PpsPosition(" 
    OR "trcs.tsm_state=Irradiation" OR "BeamResult Received" OR "pms.correction_applied"|
    rex field=description "(X:(?<x>-?\d+.\d+\D?-?\d?\d?)mm,Y:(?<y>-?\d+.\d+\D?-?\d?\d?)mm,Z:(?<z>-?\d+.\d+\D?-?\d?\d?)mm,Rotation:(?<rot>-?\d+.\d+\D?-?\d?\d?)deg,Pitch:(?<pitch>-?\d+.\d+\D?-?\d?\d?)deg,Roll:(?<roll>-?\d+.\d+\D?-?\d?\d?)deg)" |  
    eval x=round(x,1) | 
    eval y=round(y,1) | 
    eval z=round(z,1) | 
    eval rot=round(rot,1) | 
    eval pitch=round(pitch,1) | 
    eval roll=round(roll,1) |
    sort 0 _time|
    eval bn=beam_number|
    eval bn=if(searchmatch("session is closed"), tonumber("0"), bn)|
    streamstats last(bn) as "beam"|
    eval CVCoord=if(searchmatch("SROB"),mvappend(beam,x,y,z,rot,pitch,roll),null())|
    eval CVCoord=mvjoin(CVCoord,", ")|
    sort 0 -_time|
    transaction startswith="patient_id" endswith="is closed" maxspan=2h by host|
    search trcs_patient_id!="A141070" trcs_patient_id!="A142388" trcs_patient_id!="A160539" trcs_patient_id!="A170316" trcs_patient_id!="A153361" trcs_patient_id!="A161805" trcs_patient_id!="A161809" "Irradiation" "BeamResult Received" "pms.correction_applied"|
    sort _time|
    mvexpand CVCoord|
    rex field=CVCoord "(?<BEAM>\d),(?<X>.+),(?<Y>.+),(?<Z>.+),(?<ROT>.+),(?<PITCH>.+),(?<ROLL>.+)" |
    search BEAM!=0|
    eval part=if(BEAM=1, "Setup", "Treatment")|
    eval X2=pow(X,2)|
    eval Y2=pow(Y,2)|
    eval Z2=pow(Z,2)|
    eval Norm2=X2+Y2+Z2|
    eval Norm=round(sqrt(Norm2))|
    chart count over Norm by part

The chart doesn't return any results for because Norm doesnt contain any values from X2, Y2, or Z2 and thus doesn't return any results. I have confirmed that values exist for X, Y, and Z from my rex command but they aren't being raised to the power of 2 and instead Splunk is just returning blank values to the fields X2, Y2, and Z2. Can anyone help?

0 Karma
Reply

mpreddy
Communicator
‎03-30-2017 04:03 PM

I tried in my local it is working with below search query:

|stats c|eval a="2"|eval b=3|table a,b|eval ab=pow(a,2)|eval cd=pow(b,2)|eval norm=ab+cd|eval norm2=round((sqrt(norm)))

Note: if your extracted values for x,y,z are strings it will show as a blank

0 Karma
Reply

epresson
New Member
‎03-30-2017 06:03 PM

I downvoted this post because it didnt work

0 Karma
Reply

DalJeanis
Legend
‎03-30-2017 03:20 PM

If somesoni2's or woodcock's answers don;t work for you, then please post the exact _raw layout of a couple of events. Remember to hit the "code" button so that no spaces will be lost of formatting will be changed.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-30-2017 02:51 PM

Try this:

... | rex field=CVCoord "(?<BEAM>\d)\s*,\s*(?<X>\d+)\s*,\s*(?<Y>\d+)\s*,\s*(?<Z>\d+),(?<ROT>.+),(?<PITCH>.+),(?<ROLL>.+)"
| eval X2=pow(X,2)
| eval Y2=pow(Y,2)
| eval Z2=pow(Z,2)
| eval Norm2=X2+Y2+Z2
| eval Norm=round(sqrt(Norm2))
| table X2 Y2 Z2
0 Karma
Reply

epresson
New Member
‎03-30-2017 05:46 PM

This change to rex didnt return any values for X, Y, or Z.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2017 02:52 PM

The problem is surely that X, Y, and/or Z either do not exist (field extraction failed) or are not numbers. You are going to have to debug backwards and fix that.

0 Karma
Reply

somesoni2
Revered Legend
‎03-30-2017 02:09 PM

See if eval expression like below gives you results.

eval X2=pow(tonumber(X),2)
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...