Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to perform math on a field extracted where the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a log entry with a variable number of possible matches with my regex. i had to use max_matches to get them all. for the rows that only have a single match, i can perform math on them, like round() or +1; however, for the rows where there are multiple matches, i am unable to manipulate those matches and when i try it results in a null value being displayed.
How can i perform math on inline field extractions where there are multiple matches?
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a quick sample of a nearly trivial method...
| makeresults | eval mykey="somekey" | eval myjunk="someotherfield" | eval mydata="123.456 234.5678 345.678" | makemv mydata | eval holddata=mydata
| rename COMMENT as "The above creates test data"
| rename COMMENT as "Take them apart, round them, put them together"
| mvexpand mydata
| eval mydata=round(mydata,1)
| mvcombine mydata
One problem with that method is illustrated by what it did to the field holddata. It has been reformatted, and you'd need to do | makemv holddata to change it back into a multivalue field.
This next method might be more appropriate for certain simple data structures.
| makeresults | eval mykey="somekey" | eval myjunk="someotherfield" | eval mydata="123.456 234.5678 345.678" | makemv mydata | eval holddata=mydata
| rename COMMENT as "The above creates test data"
| rename COMMENT as "Take them apart, round them, put them together"
| mvexpand mydata
| eval mydata=round(mydata,1)
| stats values(*) as * by mykey
The more other data you have, or the more complicated it is, the less appropriate that method might be. Sometimes it might be more appropriate to segregate the data and then reintegrate it later.
| makeresults | eval mykey="somekey" | eval myjunk="someotherfield" | eval mydata="123.456 234.5678 345.678" | makemv mydata | eval holddata=mydata
| rename COMMENT as "The above creates test data"
| rename COMMENT as "Take them aside, take them apart, round them, put them together flat, put them back onto the file, then make them back into an mv."
| streamstats count as recno
| appendpipe
[| table recno mydata
| mvexpand mydata
| eval mydata=round(mydata,1)
| stats list(mydata) as mydata2 by recno
| nomv mydata2
| eval rectype="fixed"
]
| eventstats max(mydata2) as mydata by recno
| where isnull(rectype)
| makemv mydata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a quick sample of a nearly trivial method...
| makeresults | eval mykey="somekey" | eval myjunk="someotherfield" | eval mydata="123.456 234.5678 345.678" | makemv mydata | eval holddata=mydata
| rename COMMENT as "The above creates test data"
| rename COMMENT as "Take them apart, round them, put them together"
| mvexpand mydata
| eval mydata=round(mydata,1)
| mvcombine mydata
One problem with that method is illustrated by what it did to the field holddata. It has been reformatted, and you'd need to do | makemv holddata to change it back into a multivalue field.
This next method might be more appropriate for certain simple data structures.
| makeresults | eval mykey="somekey" | eval myjunk="someotherfield" | eval mydata="123.456 234.5678 345.678" | makemv mydata | eval holddata=mydata
| rename COMMENT as "The above creates test data"
| rename COMMENT as "Take them apart, round them, put them together"
| mvexpand mydata
| eval mydata=round(mydata,1)
| stats values(*) as * by mykey
The more other data you have, or the more complicated it is, the less appropriate that method might be. Sometimes it might be more appropriate to segregate the data and then reintegrate it later.
| makeresults | eval mykey="somekey" | eval myjunk="someotherfield" | eval mydata="123.456 234.5678 345.678" | makemv mydata | eval holddata=mydata
| rename COMMENT as "The above creates test data"
| rename COMMENT as "Take them aside, take them apart, round them, put them together flat, put them back onto the file, then make them back into an mv."
| streamstats count as recno
| appendpipe
[| table recno mydata
| mvexpand mydata
| eval mydata=round(mydata,1)
| stats list(mydata) as mydata2 by recno
| nomv mydata2
| eval rectype="fixed"
]
| eventstats max(mydata2) as mydata by recno
| where isnull(rectype)
| makemv mydata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wow! thanks for the reply. I was afraid the answer would involve, as you say, segregating the data, and reintegrating it later.
I need to lookup several of the commands you are using, but our query actually has 3 regexes, one before, and one after this, that I will need to integrate this into. It'll take me a while but i will attempt to make sense of this and see if i can make it work. thanks so much for the guide!
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@weidertc - you're welcome. Let us know if you need any help getting that to work.
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
