Solved: How to use values in field names to calculate agai...

mjones414 · ‎07-08-2016

Sample data:
I have several field values in one sourcetype that are variable limits that can change week by week. The need I have is to always take the value of the field which can change, and divide it by the n# value in the field name. So for example, in the first line, I need to take 512 and divide that by 16 and have the solution be the new value of that field, and I need to do this for each field. So far, I've come up empty on how to appropriately do this. Any ideas?

resources_available.jg_n16_128_none_FDR1_rd_a = 512
resources_available.jg_n16_128_none_FEX_gsu_a = 1584
resources_available.jg_n16_128_none_FEX_gsu_b = 3200
resources_available.jg_n16_128_none_FEX_gsu_c = 1600
resources_available.jg_n16_128_none_FEX_gsu_d = 0
resources_available.jg_n16_128_none_FEX_gsu_e = 0
resources_available.jg_n16_128_none_FEX_gsu_f = 0
resources_available.jg_n16_128_none_FEX_rd_a = 0
resources_available.jg_n16_128_none_FEX_rd_b = 0
resources_available.jg_n16_128_none_FEX_rd_c = 0
resources_available.jg_n16_128_none_FEX_rd_d = 0
resources_available.jg_n16_128_none_FEX_rd_e = 0
resources_available.jg_n16_128_none_FEX_rd_f = 0
resources_available.jg_n24_256_kepler_FEX_gsu_a = 4920
resources_available.jg_n24_256_kepler_FEX_gsu_b = 0
resources_available.jg_n24_256_kepler_FEX_gsu_c = 0
resources_available.jg_n24_256_kepler_FEX_rd_a = 720
resources_available.jg_n24_256_kepler_FEX_rd_b = 0
resources_available.jg_n24_256_kepler_FEX_rd_c = 0
resources_available.jg_n24_256_none_FDR2_rd_a = 4320
resources_available.jg_n24_256_none_FEX_Q1_a = 2400
resources_available.jg_n24_256_none_FEX_gsu_a = 12000
resources_available.jg_n24_256_none_FEX_gsu_b = 0
resources_available.jg_n24_256_none_FEX_gsu_c = 0
resources_available.jg_n24_256_none_FEX_gsu_d = 0
resources_available.jg_n24_256_none_FEX_gsu_e = 0
resources_available.jg_n24_256_none_FEX_gsu_f = 0
resources_available.jg_n24_256_none_FEX_rd_a = 2400
resources_available.jg_n24_256_none_FEX_rd_b = 14928
resources_available.jg_n24_256_none_FEX_rd_c = 0
resources_available.jg_n24_256_none_FEX_rd_d = 0
resources_available.jg_n24_256_none_FEX_rd_e = 0
resources_available.jg_n24_256_none_FEX_rd_f = 0
resources_available.jg_n24_256_pdd_FEX_sco_a = 48
resources_available.jg_n24_256_testa_FEX_gsu_a = 24
resources_available.jg_n24_256_testb_FEX_gsu_a = 24
resources_available.jg_n24_512_k80_FDR3_rd_a = 936
resources_available.jg_n24_512_k80_FDR3_rd_b = 0
resources_available.jg_ntape16_128_none_FEX_sco_a = 96
resources_available.jg_t24_256_none_FDR2_rd_a = 96
resources_available.jg_t24_256_none_FEX_rd_a = 480
resources_available.jg_test = 240

javiergn · ‎07-08-2016

Is this what you are looking for?

your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]

Example:

| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720

Output: see picture below

View solution in original post

sundareshr · ‎07-08-2016

See if this gives you what you are looking for

.... | table resouce_available* | transpose | rename column AS field row1 as value | rex field=field "\_n(?<n>\d+)\_" | eval value=value/n

javiergn · ‎07-08-2016

Is this what you are looking for?

your base search
| foreach resources_available.* [eval temp="<<FIELD>>" | rex field=temp "\_n(?<n>\d+)\_" | eval <<FIELD>> = '<<FIELD>>'/n ]

Example:

| stats count | fields - count
| eval resources_available.jg_n16_128_none_FDR1_rd_a = 512
| eval resources_available.jg_n16_128_none_FEX_rd_f = 0
| eval resources_available.jg_n24_256_kepler_FEX_rd_a = 720

Output: see picture below

mjones414 · ‎07-08-2016

If we ever meet, I will buy you a beer! This is EXACTLY what I was looking for!!

somesoni2 · ‎07-08-2016

Does "resources_available.jg_n16_128_none_FDR1_rd_a" comes as full field name? Do all these lines are part on one event ?

mjones414 · ‎07-08-2016

All these lines are part of one avent and yes that would be the full field name with splunk graciously changing .'s to _s's because it hates .'s in field names 🙂

How to use values in field names to calculate against field values from eval or rex?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How to use values in field names to calculate against field values from eval or rex?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard