Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Very large number math

craigkleen
Communicator
‎05-14-2019 02:04 PM

I have a log file with a very large number in it, it's a sequence number, and doesn't seem to have anything to do with time, they're all unique. They look like:

sequence_number
6675670249450679850
6675670249450679847
6675670249450679801
6675670249450679800
6675670249450679653
6675670249450679652
6675670249450679645
6675670249450679643
6675670249450679642
6675670249450679523
6675670249450679522

There's a relationship between logs when the numbers differ by 1, but the logs contain different information. I'm trying to do a transaction to group these lines, but to get "sequence_number - 1", Splunk seems to round horribly. I only really need to compare the least significant digits, so I have a workaround to create a field based on data in the higher number with:

| eval subSeq=tonumber(substr(tostring(sequence_number), -6)), firstSeq=subSeq - 1

And something similar to the other log type. But, is there a better way?

Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎05-14-2019 02:26 PM

Another solution is to get a "shorter ID" and calculations based on that

Example

|makeresults
| eval sequence_number="6675670249450679850"
| rex field=sequence_number "(?<subSeq>\w{5})$"
| eval firstSeq=subSeq - 1
| table sequence_number,subSeq,firstSeq
0 Karma
Reply

craigkleen
Communicator
‎05-14-2019 02:47 PM

Yeah, that gets me to the same place. But gets a little unwieldy in my use case. To expand my original data with an example, it's like:

eventNum,Data,sequence_number
eventOne,origData,6675670249450679850
eventOne,origData,6675670249450679847
eventOne,origData,6675670249450679801
eventTwo,extradata,6675670249450679800
eventOne,origData,6675670249450679653
eventTwo,extradata,6675670249450679652
eventOne,origData,6675670249450679645
eventOne,origData,6675670249450679643
eventTwo,extradata,6675670249450679642
eventOne,origData,6675670249450679523
eventTwo,extradata,6675670249450679522

Where, I'm trying to add the fields in "extraData" to the fields in "origData", when the only thing I have coupling this data is this sequence_number that's off by one.

So, it seems shorter use a single statement like:

| eval commonSeq=if(eventNum="eventOne", tonumber(substr(tostring(sequence_number), -6)) - 1, tonumber(substr(tostring(sequence_number), -6))) | transaction commonSeq

Was really hoping that there was more of a function based approach I'm missing, rather than a rex-based one.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top