Hello splunkers,
I need your help to find a solution for the following issue.
I have a log file as a source that I'm indexing as metrics
Sample Event
2022/06/15 10:15:22 Total: 1G Used: 65332K Free: 960.2M
I'm able to index values in a metric index but I would like to convert everything to the same unit before doing this.
I tried with eval but it doesn't work
props.conf
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
TRANSFORMS-extract_test = fields_extract_test
EVAL-Total = Total*100
METRIC-SCHEMA-TRANSFORMS = metric-schema:extract_metrics_test
transforms.conf
[fields_extract_test]
REGEX = .*Total: (.*?)([A-Z]) Used: (.*?)([A-Z]) Free: (.*?)([A-Z])
FORMAT = Total::$1 Total_Unit::$2 Used::$3 Used_Unit::$4 Free::$5 Free_Unit::$6
WRITE_META = true
[metric-schema:extract_metrics_test]
METRIC-SCHEMA-MEASURES = _ALLNUMS_
METRIC-SCHEMA-WHITELIST-DIMS = Total,Total_Unit,Used,Used_Unit,Free,Free_Unit
How to do this?
Thanks in advance
Hi
in indexing phase you should use INGEST_EVAL in transforms.conf instead of EVAL in props.conf (this is search time option).
r. Ismo
Hi,
thanks for your reply.
I tried with INGEST_EVAL but it doesn't work (at least as expected)
I used it like
INGEST_EVAL = Total = case(Total_Unit="G",Total*1024,Total_Unit="M",Total,Total_Unit="K",Total/1024)
Maybe I'm doing something wrong
Could you please provide an example based on data in the first message?
Thanks
Hi,
thanks for your suggestion.
It took me a little bit but at the end I got the right point.
Just a little tip for anybody will fall into the same issue: it seems that you can use just one INGEST_EVAL per stanza. To add more fields you have to split rules with comma as you'd do in spl.