Splunk Search

How to use wildcards with eval to create a field/value pair that is the direct value of a random field matching a pattern?

mjones414
Contributor

I have a dataset where each event will have a field that is the name of a particular group. this field has a standard naming convention which makes it easy to pick out, but its value is a numerical value that can be different for each event. I need to create an eval field that is the value of whatever particular field this is by matching on its naming convention, but eval doesn't seem to take wildcards very well.

e.g.
event1
coolfielda=12


event2
coolfieldb=15


event3
coolfielda=13

eval coolfactor=match(coolfield%)

or eval coolfactor=match(%oolfie%) <-- would be more the case based on the naming convention

Any help is appreciated!.

Tags (2)
0 Karma

aweitzman
Motivator

I think this might work for you, provided there's only one "cool field" per event:

... your search ... | foreach *oolfie* [eval coolfactor='<<FIELD>>']

This won't work if there's more than one such field per event because the foreach clause will keep overwriting the coolfactor field with all of the fields until the last one. But if you only have one per event, this should do the trick.

Alternatively, if you know the names of the fields ahead of time, you can use coalesce instead:

... your search ... | eval coolfactor=coalesce(coolfielda,coolfieldb,coolfieldc)

But you can't use coalesce with a wildcard. Thus the foreach construction above.

0 Karma

mjones414
Contributor

This is getting me super close, but not quite there

Your first example worked for one subset, but I think perhaps I did a bad job of explaining the whole problem:

so I have one sourcetype that contains 2 types of events.

One event looks like this:

Job Id: 78172.queue01
Job_Name = bob
Job_Owner = bob@queue01
resources_used.cpupercent = 0
resources_used.cput = 00:00:24
resources_used.mem = 12356kb
resources_used.ncpus = 384
resources_used.vmem = 408076kb
resources_used.walltime = 00:00:21
job_state = R
queue = parallel
Resource_List.jg_n24_256_none_FEX_rd_a = 384

And another event will look like this

resources_available.jg_n24_256_kepler_FEX_rd_a = 648
resources_available.jg_n24_256_kepler_FEX_rd_b = 0
resources_available.jg_n24_256_kepler_FEX_rd_c = 0

resources_available.jg_n24_256_none_FEX_rd_a = 6384
resources_available.jg_n24_256_none_FEX_rd_b = 9472
resources_available.jg_n24_256_none_FEX_rd_c = 1536
resources_available.jg_n24_256_none_FEX_rd_d = 0
resources_available.jg_n24_256_none_FEX_rd_e = 0

The resource_list value is what is requested, the resources_available number is what is available and the stuff in between are sets of queues. What I'm attempting to do is determine what percentage of the request event A is being used of whats available in event B.

0 Karma

aweitzman
Motivator

Oh, well, that's something very different. 🙂

You'll need some rex commands in here to extract the string you want into its own field. You'll need two, one for the first kind and one for the second kind, something like this:

... | rex "Resource_List\.(?<resname>\w+)\s+=\s+(?<num>\d+)" | rex "resources_available\.(?<resname>\w+)\s+=\s+(?<denom>\d+)" | ...

Now you have an event with your resource name and numerator, and another event with the resource name and denominator. Then use stats and eval to get your percentage

... | stats sum(num) as num sum(denom) as denom by resname | eval percentage=(num*100/denom)
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...