Splunk Search

How to use values in field names to calculate against field values from eval or rex?

mjones414
Contributor

Sample data:
I have several field values in one sourcetype that are variable limits that can change week by week. The need I have is to always take the value of the field which can change, and divide it by the n# value in the field name. So for example, in the first line, I need to take 512 and divide that by 16 and have the solution be the new value of that field, and I need to do this for each field. So far, I've come up empty on how to appropriately do this. Any ideas?

resources_available.jg_n16_128_none_FDR1_rd_a = 512
resources_available.jg_n16_128_none_FEX_gsu_a = 1584
resources_available.jg_n16_128_none_FEX_gsu_b = 3200
resources_available.jg_n16_128_none_FEX_gsu_c = 1600
resources_available.jg_n16_128_none_FEX_gsu_d = 0
resources_available.jg_n16_128_none_FEX_gsu_e = 0
resources_available.jg_n16_128_none_FEX_gsu_f = 0
resources_available.jg_n16_128_none_FEX_rd_a = 0
resources_available.jg_n16_128_none_FEX_rd_b = 0
resources_available.jg_n16_128_none_FEX_rd_c = 0
resources_available.jg_n16_128_none_FEX_rd_d = 0
resources_available.jg_n16_128_none_FEX_rd_e = 0
resources_available.jg_n16_128_none_FEX_rd_f = 0
resources_available.jg_n24_256_kepler_FEX_gsu_a = 4920
resources_available.jg_n24_256_kepler_FEX_gsu_b = 0
resources_available.jg_n24_256_kepler_FEX_gsu_c = 0
resources_available.jg_n24_256_kepler_FEX_rd_a = 720
resources_available.jg_n24_256_kepler_FEX_rd_b = 0
resources_available.jg_n24_256_kepler_FEX_rd_c = 0
resources_available.jg_n24_256_none_FDR2_rd_a = 4320
resources_available.jg_n24_256_none_FEX_Q1_a = 2400
resources_available.jg_n24_256_none_FEX_gsu_a = 12000
resources_available.jg_n24_256_none_FEX_gsu_b = 0
resources_available.jg_n24_256_none_FEX_gsu_c = 0
resources_available.jg_n24_256_none_FEX_gsu_d = 0
resources_available.jg_n24_256_none_FEX_gsu_e = 0
resources_available.jg_n24_256_none_FEX_gsu_f = 0
resources_available.jg_n24_256_none_FEX_rd_a = 2400
resources_available.jg_n24_256_none_FEX_rd_b = 14928
resources_available.jg_n24_256_none_FEX_rd_c = 0
resources_available.jg_n24_256_none_FEX_rd_d = 0
resources_available.jg_n24_256_none_FEX_rd_e = 0
resources_available.jg_n24_256_none_FEX_rd_f = 0
resources_available.jg_n24_256_pdd_FEX_sco_a = 48
resources_available.jg_n24_256_testa_FEX_gsu_a = 24
resources_available.jg_n24_256_testb_FEX_gsu_a = 24
resources_available.jg_n24_512_k80_FDR3_rd_a = 936
resources_available.jg_n24_512_k80_FDR3_rd_b = 0
resources_available.jg_ntape16_128_none_FEX_sco_a = 96
resources_available.jg_t24_256_none_FDR2_rd_a = 96
resources_available.jg_t24_256_none_FEX_rd_a = 480
resources_available.jg_test = 240

0 Karma
1 Solution

javiergn
Super Champion

Is this what you are looking for?

your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]

Example:

| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720

Output: see picture below

alt text

View solution in original post

sundareshr
Legend

See if this gives you what you are looking for

.... | table resouce_available* | transpose | rename column AS field row1 as value | rex field=field "\_n(?<n>\d+)\_" | eval value=value/n
0 Karma

javiergn
Super Champion

Is this what you are looking for?

your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]

Example:

| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720

Output: see picture below

alt text

mjones414
Contributor

If we ever meet, I will buy you a beer! This is EXACTLY what I was looking for!!

somesoni2
Revered Legend

Does "resources_available.jg_n16_128_none_FDR1_rd_a" comes as full field name? Do all these lines are part on one event ?

0 Karma

mjones414
Contributor

All these lines are part of one avent and yes that would be the full field name with splunk graciously changing .'s to _s's because it hates .'s in field names :slightly_smiling_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...