Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Very large number math

craigkleen
Communicator
‎05-14-2019 02:04 PM

I have a log file with a very large number in it, it's a sequence number, and doesn't seem to have anything to do with time, they're all unique. They look like:

sequence_number
6675670249450679850
6675670249450679847
6675670249450679801
6675670249450679800
6675670249450679653
6675670249450679652
6675670249450679645
6675670249450679643
6675670249450679642
6675670249450679523
6675670249450679522

There's a relationship between logs when the numbers differ by 1, but the logs contain different information. I'm trying to do a transaction to group these lines, but to get "sequence_number - 1", Splunk seems to round horribly. I only really need to compare the least significant digits, so I have a workaround to create a field based on data in the higher number with:

| eval subSeq=tonumber(substr(tostring(sequence_number), -6)), firstSeq=subSeq - 1

And something similar to the other log type. But, is there a better way?

Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎05-14-2019 02:26 PM

Another solution is to get a "shorter ID" and calculations based on that

Example

|makeresults
| eval sequence_number="6675670249450679850"
| rex field=sequence_number "(?<subSeq>\w{5})$"
| eval firstSeq=subSeq - 1
| table sequence_number,subSeq,firstSeq
0 Karma
Reply

craigkleen
Communicator
‎05-14-2019 02:47 PM

Yeah, that gets me to the same place. But gets a little unwieldy in my use case. To expand my original data with an example, it's like:

eventNum,Data,sequence_number
eventOne,origData,6675670249450679850
eventOne,origData,6675670249450679847
eventOne,origData,6675670249450679801
eventTwo,extradata,6675670249450679800
eventOne,origData,6675670249450679653
eventTwo,extradata,6675670249450679652
eventOne,origData,6675670249450679645
eventOne,origData,6675670249450679643
eventTwo,extradata,6675670249450679642
eventOne,origData,6675670249450679523
eventTwo,extradata,6675670249450679522

Where, I'm trying to add the fields in "extraData" to the fields in "origData", when the only thing I have coupling this data is this sequence_number that's off by one.

So, it seems shorter use a single statement like:

| eval commonSeq=if(eventNum="eventOne", tonumber(substr(tostring(sequence_number), -6)) - 1, tonumber(substr(tostring(sequence_number), -6))) | transaction commonSeq

Was really hoping that there was more of a function based approach I'm missing, rather than a rex-based one.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...