Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval to convert everything to same unit before indexing as metrics?

djluke
Path Finder
‎06-15-2022 03:17 AM

Hello splunkers,
I need your help to find a solution for the following issue.
I have a log file as a source that I'm indexing as metrics

Sample Event

 

2022/06/15 10:15:22 Total: 1G Used: 65332K Free: 960.2M

 

 

I'm able to index values in a metric index but I would like to convert everything to the same unit before doing this.
I tried with eval but it doesn't work

props.conf

 

DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
TRANSFORMS-extract_test = fields_extract_test
EVAL-Total = Total*100
METRIC-SCHEMA-TRANSFORMS = metric-schema:extract_metrics_test

 

transforms.conf

 

[fields_extract_test]
REGEX = .*Total: (.*?)([A-Z]) Used: (.*?)([A-Z]) Free: (.*?)([A-Z])
FORMAT = Total::$1 Total_Unit::$2 Used::$3 Used_Unit::$4 Free::$5 Free_Unit::$6
WRITE_META = true

[metric-schema:extract_metrics_test]
METRIC-SCHEMA-MEASURES = _ALLNUMS_
METRIC-SCHEMA-WHITELIST-DIMS = Total,Total_Unit,Used,Used_Unit,Free,Free_Unit

 

How to do this?
Thanks in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2022 09:52 AM

Here is one presentation with examples https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2022 03:46 AM

Hi

in indexing phase you should use INGEST_EVAL in transforms.conf instead of EVAL in props.conf (this is search time option).

r. Ismo

0 Karma
Reply
Solved! Jump to solution

djluke
Path Finder
‎06-21-2022 07:23 AM

Hi,
thanks for your reply.
I tried with INGEST_EVAL but it doesn't work (at least as expected)
I used it like

INGEST_EVAL = Total = case(Total_Unit="G",Total*1024,Total_Unit="M",Total,Total_Unit="K",Total/1024)

Maybe I'm doing something wrong
Could you please provide an example based on data in the first message? 
Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2022 09:52 AM

Here is one presentation with examples https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

 

0 Karma
Reply
Solved! Jump to solution

djluke
Path Finder
‎07-12-2022 11:29 PM

Hi,
thanks for your suggestion.
It took me a little bit but at the end I got the right point.
Just a little tip for anybody will fall into the same issue: it seems that you can use just one INGEST_EVAL per stanza. To add more fields you have to split rules with comma as you'd do in spl.

 

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...