Splunk Search

Performing basic calculations, eval statement and wildcard

bcatwork
Path Finder

I need some assistance in calculating latency values. I have many hosts, logging transformation latency in different ways. Some of these events contain a field called transformation_latency (host=barfoo1, host=barfoo2), the others contain total_latency and backend_latency (host=foobar01, host=foobar02, foobar03))

The logic works as follows: If host=foobar*, transformation_latency=(total_latency - backend_latency)

my stats function looks like |stats avg(transformation_latency)

I have found using eval statements, I cannot use a wildcard. I am seeking a way to perform this calculation and assign a transformation_latency if one is not present in the event.

I have tried <pre>eval field=if(isnull(field),elsefield,field) </pre>
But, as we continue to add hosts, logs will differ and I must more implicitly state that this specific calculation applies to hosts like %foobar0% only

Thanks!

0 Karma

jacobwilkins
Communicator

This is not a foreach usecase.

This is actually much simpler. Before your stats command, do this:

| eval transformation_latency=coalesce(transformation_latency, total_latency-backend)

The name of the host doesn't matter. The presence or absence your transformation_latency field is all that matters. If it is there, use it. If it isn't, calculate it.

bcatwork
Path Finder

So this works for my current state. However, I will need to perform a different calculation based on host parameters in the near future that will not handle a null value for transformation_latency the same way as above.

To be more specific, I calculate backend_latency using the addtotal commands for iterative backend calls, but I will need the max backend_latency* for parallel calls. Ive found I need to use the coalesce function prior to the addtotal command to have null values handled properly. So how can I state, use (total_latency-backend_latency) if host=xyz, use
(total_latency-max_backend_latency)) if host=abc. Any suggestions? Thanks!

0 Karma

jacobwilkins
Communicator

Well, once again, is max_backend_latency null in cases where you need to use backend_latency? If so, same trick. For clarity, we'll converge them to a 3rd field.

 | eval my_backend_latency=coalesce(max_backend_latency,backend_latency)
 | eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)

If you really have your heart set on doing conditionals based on host, which I'm steering you away from because that kind of procedural-think usually leads to unnecessary complexity, I'll show you how.

| eval my_backend_latency=case(searchmatch(host=xyz*) , backend_latency, searchmatch(host=abc*), max_backend_latency)
| eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)

You could also use if instead of case if you only had 2 conditions. You could also use match instead of searchmatch if you like regex better.

You should study this: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions

bcatwork
Path Finder

I have checked the examples. This seems like it will help. How can I explicitly state the host value using a wildcard rather than just a wildcard field?

This does not work,
foreach host=foobar* [eval transformation_latency=total_latency-backend]

I have already initialized all variables by the time of the foreach statement. I need to perform this calculation dependent on host value.

Thank your for your time and prompt assistance!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...