I have some requests/responses going through my system. I want to get the size of each response.
The only information I have is a number of lines per request (each line is 4mb)
Currently i do the following:
eval ResponseSize=eventcount * 4
The 4mb might change so there is another place in the log file that prints what that size is.
Can I do a subsearch to pull this number and use it in the multiplication eval to get the ResponseSize?
You can use the fact that a subsearch will render the "query" field literally. For example:
... | eval ResponseSize = eventcount * [search ... | rename size as query | fields query | head 1]
| eval Result=number * [search ... | stats avg(dataset) ]
yields this error message: "Error in 'eval' command: Type checking failed. '*' only takes numbers."
The sub search run on its own results in a single number. That number could possibly considered a string, but if I try to convert it to a number with tonumber([search...]) then I get another error message: "Error in 'eval' command: The arguments to the 'tonumber' function are invalid."
If I try this: | eval SubSearchResult=[search ... | stats avg(dataset) ]
I get this error message: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
I need to be able to assign the result of a sub search to a variable to be used in calculation with data from the base search. How can I do this?
|makeresults | eval test=[|makeresults|eval t=1|return $t]
To substitute the result of subsearch, it should use
this time, subsearch result is number, no need doble quotes.
If subsearch result is string, it should cover by double quote and
By the way,
|eventstats avg(dataset) as Result
Isn't this enough?
Wow. So where all do subsearches work? I thought they only worked in the base search and with special search commands ( like
join, ...) Is this documented somewhere?
Subsearches behave like backticks in Unix. Anywhere that they're not treated specially (set, append, join) their result is just rendered as a string and inserted into the search.
Looks like sometimes it adds excess decoration though.. at least with use cases that would be useful like
| rest splunk_server=local /servicesNS/-/[| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1]/data/models. But with some (slightly silly) workarounds it can help!
| makeresults | eval test="/servicesNS/-/" + [| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1] + "/data/models" | map search="| rest splunk_server=local $test$"