Sample data:
I have several field values in one sourcetype that are variable limits that can change week by week. The need I have is to always take the value of the field which can change, and divide it by the n# value in the field name. So for example, in the first line, I need to take 512 and divide that by 16 and have the solution be the new value of that field, and I need to do this for each field. So far, I've come up empty on how to appropriately do this. Any ideas?
resources_available.jg_n16_128_none_FDR1_rd_a = 512
resources_available.jg_n16_128_none_FEX_gsu_a = 1584
resources_available.jg_n16_128_none_FEX_gsu_b = 3200
resources_available.jg_n16_128_none_FEX_gsu_c = 1600
resources_available.jg_n16_128_none_FEX_gsu_d = 0
resources_available.jg_n16_128_none_FEX_gsu_e = 0
resources_available.jg_n16_128_none_FEX_gsu_f = 0
resources_available.jg_n16_128_none_FEX_rd_a = 0
resources_available.jg_n16_128_none_FEX_rd_b = 0
resources_available.jg_n16_128_none_FEX_rd_c = 0
resources_available.jg_n16_128_none_FEX_rd_d = 0
resources_available.jg_n16_128_none_FEX_rd_e = 0
resources_available.jg_n16_128_none_FEX_rd_f = 0
resources_available.jg_n24_256_kepler_FEX_gsu_a = 4920
resources_available.jg_n24_256_kepler_FEX_gsu_b = 0
resources_available.jg_n24_256_kepler_FEX_gsu_c = 0
resources_available.jg_n24_256_kepler_FEX_rd_a = 720
resources_available.jg_n24_256_kepler_FEX_rd_b = 0
resources_available.jg_n24_256_kepler_FEX_rd_c = 0
resources_available.jg_n24_256_none_FDR2_rd_a = 4320
resources_available.jg_n24_256_none_FEX_Q1_a = 2400
resources_available.jg_n24_256_none_FEX_gsu_a = 12000
resources_available.jg_n24_256_none_FEX_gsu_b = 0
resources_available.jg_n24_256_none_FEX_gsu_c = 0
resources_available.jg_n24_256_none_FEX_gsu_d = 0
resources_available.jg_n24_256_none_FEX_gsu_e = 0
resources_available.jg_n24_256_none_FEX_gsu_f = 0
resources_available.jg_n24_256_none_FEX_rd_a = 2400
resources_available.jg_n24_256_none_FEX_rd_b = 14928
resources_available.jg_n24_256_none_FEX_rd_c = 0
resources_available.jg_n24_256_none_FEX_rd_d = 0
resources_available.jg_n24_256_none_FEX_rd_e = 0
resources_available.jg_n24_256_none_FEX_rd_f = 0
resources_available.jg_n24_256_pdd_FEX_sco_a = 48
resources_available.jg_n24_256_testa_FEX_gsu_a = 24
resources_available.jg_n24_256_testb_FEX_gsu_a = 24
resources_available.jg_n24_512_k80_FDR3_rd_a = 936
resources_available.jg_n24_512_k80_FDR3_rd_b = 0
resources_available.jg_ntape16_128_none_FEX_sco_a = 96
resources_available.jg_t24_256_none_FDR2_rd_a = 96
resources_available.jg_t24_256_none_FEX_rd_a = 480
resources_available.jg_test = 240
Is this what you are looking for?
your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]
Example:
| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720
Output: see picture below
See if this gives you what you are looking for
.... | table resouce_available* | transpose | rename column AS field row1 as value | rex field=field "\_n(?<n>\d+)\_" | eval value=value/n
Is this what you are looking for?
your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]
Example:
| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720
Output: see picture below
If we ever meet, I will buy you a beer! This is EXACTLY what I was looking for!!
Does "resources_available.jg_n16_128_none_FDR1_rd_a" comes as full field name? Do all these lines are part on one event ?
All these lines are part of one avent and yes that would be the full field name with splunk graciously changing .'s to _s's because it hates .'s in field names 🙂