Splunk Search

Rename same field different things

tb582
Explorer

I have a search using transaction and the startswith/endswith but I don't know how to call the Task_time field in the starts with of my transaction "Encode Time" and the Task_time field in the ends with "Transfer Time"?

Tags (1)
0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can use eval to achieve this, by evaluating those fields before the transaction. Suppose the initial event includes the word "Encode" and the final event contains the word "Transfer": For example:

... | eval Encode_Time=if(searchmatch("Encode"), Task_time, null())
| eval Transfer_time=if(searchmatch("Transfer",Task_time, null()
| transaction <uid>

Alternately, if the Encode event really starts the transaction and the Transfer event really ends it, you can just use eval after the transaction to pick the values of the Task_time multivalued field:

... | transaction <uid>
| eval Encode_time = mvindex(Task_time, 0)
| eval Transfer_time = mvindex(Task_time, -1)

tb582
Explorer

keep getting "Error in 'fieldformat' command: Typechecking failed. '/' only takes numbers."

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can put those at the very end, but you have to do it twice, once for each of the fields "Encode" and "Transfer", not for "Task_time". Also, you can combine the two. For instance, add: | fieldformat Encode = tostring(Encode/1000, "duration") | fieldformat Transfer = tostring(Transfer/1000, "duration")

0 Karma

tb582
Explorer

where do I stick this, which converts milaseconds to HH:MM:SS?

eval inSec = Task_time / 1000 | fieldformat Task_time = tostring(inSec, "duration")

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Like in the original answer, you have two choices:

  1. Pick out the fields before the transaction using eval Encode=if(searchmatch("Encode completed", Task_time, null()) and eval Transfer=if(searchmatch("PUSH completed", Task_time, null()). This will leave each transaction with one value for Encode, and one value for Transfer.
  2. After the transaction, slice the multivalued "Task_time" field into two separate values using mvindex.
0 Karma

tb582
Explorer

hehe - ok finally that gets me down to the two lines per task_id that I'm looking for. Next is since both the encode and the copy line have a value for Task_time, how do I rename the enocde Task_time field as one thing and the copy as another?

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

You're absolutely right. Take out the NOT.

0 Karma

tb582
Explorer

why would I add NOT if the encode and copy strings are exactly what I'm trying to get?

They each have one Task_time field per task_id

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

If you want to exclude other events from the transaction, you can add to the search part before the first pipe: NOT ("SUCCESS : 100% : Encode completed" OR "SUCCESS : 100% : (PUSH) completed".

Are you saying that the "Encode" and "Copy Transfer" fields have more than one value each?

0 Karma

tb582
Explorer

doesent seem to work i get all the resutls within my start/end transaction. Not just the two above that I'm looking for. They all have
Task_time fields and I cant tell which ones are which if I cant rename them approprately.

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

You should be able to search:

index=myindex sourcetype=box-app host=box04* OR host=box050 | transaction task_id startswith="SUCCESS : 100% : Encode completed" endswith="SUCCESS : 100% : (PUSH) completed" | eval Encode = mvindex(Task_time, 0) | eval "Copy Transfer" = mvindex(Task_time, -1) | table "Encode" "Copy Transfer"

0 Karma

tb582
Explorer

Here's my search as it currently stands:

index=myindex sourcetype=box-app host=box04* OR host=box050 | transaction task_id startswith="SUCCESS : 100% : Encode completed" endswith="SUCCESS : 100% : (PUSH) completed" | eval starswith = mvindex(Task_time, 0) | rename Task_time AS " Encode" | eval endswith = mvindex(Task_time, -1) | rename Task_time AS "Copy Transfer" | fields " Encode" "Copy Transfer"

0 Karma

tb582
Explorer

hmm ok I think we are getting somewhere, but encode and transfer are not really events they are simply strings. I'm forcing them to be the first and last in the transaction by using the starts with/ends with parameters

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...