I need some assistance in calculating latency values. I have many hosts, logging transformation latency in different ways. Some of these events contain a field called transformation_latency (host=barfoo1, host=barfoo2), the others contain total_latency and backend_latency (host=foobar01, host=foobar02, foobar03))
The logic works as follows: If host=foobar*, transformation_latency=(total_latency - backend_latency)
my stats function looks like |stats avg(transformation_latency)
I have found using eval statements, I cannot use a wildcard. I am seeking a way to perform this calculation and assign a transformation_latency if one is not present in the event.
I have tried <pre>eval field=if(isnull(field),elsefield,field) </pre>
But, as we continue to add hosts, logs will differ and I must more implicitly state that this specific calculation applies to hosts like %foobar0% only
Thanks!
This is not a foreach
usecase.
This is actually much simpler. Before your stats command, do this:
| eval transformation_latency=coalesce(transformation_latency, total_latency-backend)
The name of the host doesn't matter. The presence or absence your transformation_latency field is all that matters. If it is there, use it. If it isn't, calculate it.
So this works for my current state. However, I will need to perform a different calculation based on host parameters in the near future that will not handle a null value for transformation_latency the same way as above.
To be more specific, I calculate backend_latency using the addtotal commands for iterative backend calls, but I will need the max backend_latency* for parallel calls. Ive found I need to use the coalesce function prior to the addtotal command to have null values handled properly. So how can I state, use (total_latency-backend_latency) if host=xyz, use
(total_latency-max_backend_latency)) if host=abc. Any suggestions? Thanks!
Well, once again, is max_backend_latency
null in cases where you need to use backend_latency
? If so, same trick. For clarity, we'll converge them to a 3rd field.
| eval my_backend_latency=coalesce(max_backend_latency,backend_latency)
| eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)
If you really have your heart set on doing conditionals based on host, which I'm steering you away from because that kind of procedural-think usually leads to unnecessary complexity, I'll show you how.
| eval my_backend_latency=case(searchmatch(host=xyz*) , backend_latency, searchmatch(host=abc*), max_backend_latency)
| eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)
You could also use if
instead of case
if you only had 2 conditions. You could also use match
instead of searchmatch
if you like regex better.
You should study this: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions
I have checked the examples. This seems like it will help. How can I explicitly state the host value using a wildcard rather than just a wildcard field?
This does not work,
foreach host=foobar* [eval transformation_latency=total_latency-backend]
I have already initialized all variables by the time of the foreach statement. I need to perform this calculation dependent on host value.
Thank your for your time and prompt assistance!