Splunk Search

How to use values in field names to calculate against field values from eval or rex?

mjones414
Contributor

Sample data:
I have several field values in one sourcetype that are variable limits that can change week by week. The need I have is to always take the value of the field which can change, and divide it by the n# value in the field name. So for example, in the first line, I need to take 512 and divide that by 16 and have the solution be the new value of that field, and I need to do this for each field. So far, I've come up empty on how to appropriately do this. Any ideas?

resources_available.jg_n16_128_none_FDR1_rd_a = 512
resources_available.jg_n16_128_none_FEX_gsu_a = 1584
resources_available.jg_n16_128_none_FEX_gsu_b = 3200
resources_available.jg_n16_128_none_FEX_gsu_c = 1600
resources_available.jg_n16_128_none_FEX_gsu_d = 0
resources_available.jg_n16_128_none_FEX_gsu_e = 0
resources_available.jg_n16_128_none_FEX_gsu_f = 0
resources_available.jg_n16_128_none_FEX_rd_a = 0
resources_available.jg_n16_128_none_FEX_rd_b = 0
resources_available.jg_n16_128_none_FEX_rd_c = 0
resources_available.jg_n16_128_none_FEX_rd_d = 0
resources_available.jg_n16_128_none_FEX_rd_e = 0
resources_available.jg_n16_128_none_FEX_rd_f = 0
resources_available.jg_n24_256_kepler_FEX_gsu_a = 4920
resources_available.jg_n24_256_kepler_FEX_gsu_b = 0
resources_available.jg_n24_256_kepler_FEX_gsu_c = 0
resources_available.jg_n24_256_kepler_FEX_rd_a = 720
resources_available.jg_n24_256_kepler_FEX_rd_b = 0
resources_available.jg_n24_256_kepler_FEX_rd_c = 0
resources_available.jg_n24_256_none_FDR2_rd_a = 4320
resources_available.jg_n24_256_none_FEX_Q1_a = 2400
resources_available.jg_n24_256_none_FEX_gsu_a = 12000
resources_available.jg_n24_256_none_FEX_gsu_b = 0
resources_available.jg_n24_256_none_FEX_gsu_c = 0
resources_available.jg_n24_256_none_FEX_gsu_d = 0
resources_available.jg_n24_256_none_FEX_gsu_e = 0
resources_available.jg_n24_256_none_FEX_gsu_f = 0
resources_available.jg_n24_256_none_FEX_rd_a = 2400
resources_available.jg_n24_256_none_FEX_rd_b = 14928
resources_available.jg_n24_256_none_FEX_rd_c = 0
resources_available.jg_n24_256_none_FEX_rd_d = 0
resources_available.jg_n24_256_none_FEX_rd_e = 0
resources_available.jg_n24_256_none_FEX_rd_f = 0
resources_available.jg_n24_256_pdd_FEX_sco_a = 48
resources_available.jg_n24_256_testa_FEX_gsu_a = 24
resources_available.jg_n24_256_testb_FEX_gsu_a = 24
resources_available.jg_n24_512_k80_FDR3_rd_a = 936
resources_available.jg_n24_512_k80_FDR3_rd_b = 0
resources_available.jg_ntape16_128_none_FEX_sco_a = 96
resources_available.jg_t24_256_none_FDR2_rd_a = 96
resources_available.jg_t24_256_none_FEX_rd_a = 480
resources_available.jg_test = 240

0 Karma
1 Solution

javiergn
Super Champion

Is this what you are looking for?

your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]

Example:

| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720

Output: see picture below

alt text

View solution in original post

sundareshr
Legend

See if this gives you what you are looking for

.... | table resouce_available* | transpose | rename column AS field row1 as value | rex field=field "\_n(?<n>\d+)\_" | eval value=value/n
0 Karma

javiergn
Super Champion

Is this what you are looking for?

your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]

Example:

| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720

Output: see picture below

alt text

mjones414
Contributor

If we ever meet, I will buy you a beer! This is EXACTLY what I was looking for!!

somesoni2
Revered Legend

Does "resources_available.jg_n16_128_none_FDR1_rd_a" comes as full field name? Do all these lines are part on one event ?

0 Karma

mjones414
Contributor

All these lines are part of one avent and yes that would be the full field name with splunk graciously changing .'s to _s's because it hates .'s in field names 🙂

0 Karma
Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...