Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Very large number math

craigkleen
Communicator
‎05-14-2019 02:04 PM

I have a log file with a very large number in it, it's a sequence number, and doesn't seem to have anything to do with time, they're all unique. They look like:

sequence_number
6675670249450679850
6675670249450679847
6675670249450679801
6675670249450679800
6675670249450679653
6675670249450679652
6675670249450679645
6675670249450679643
6675670249450679642
6675670249450679523
6675670249450679522

There's a relationship between logs when the numbers differ by 1, but the logs contain different information. I'm trying to do a transaction to group these lines, but to get "sequence_number - 1", Splunk seems to round horribly. I only really need to compare the least significant digits, so I have a workaround to create a field based on data in the higher number with:

| eval subSeq=tonumber(substr(tostring(sequence_number), -6)), firstSeq=subSeq - 1

And something similar to the other log type. But, is there a better way?

Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎05-14-2019 02:26 PM

Another solution is to get a "shorter ID" and calculations based on that

Example

|makeresults
| eval sequence_number="6675670249450679850"
| rex field=sequence_number "(?<subSeq>\w{5})$"
| eval firstSeq=subSeq - 1
| table sequence_number,subSeq,firstSeq
0 Karma
Reply

craigkleen
Communicator
‎05-14-2019 02:47 PM

Yeah, that gets me to the same place. But gets a little unwieldy in my use case. To expand my original data with an example, it's like:

eventNum,Data,sequence_number
eventOne,origData,6675670249450679850
eventOne,origData,6675670249450679847
eventOne,origData,6675670249450679801
eventTwo,extradata,6675670249450679800
eventOne,origData,6675670249450679653
eventTwo,extradata,6675670249450679652
eventOne,origData,6675670249450679645
eventOne,origData,6675670249450679643
eventTwo,extradata,6675670249450679642
eventOne,origData,6675670249450679523
eventTwo,extradata,6675670249450679522

Where, I'm trying to add the fields in "extraData" to the fields in "origData", when the only thing I have coupling this data is this sequence_number that's off by one.

So, it seems shorter use a single statement like:

| eval commonSeq=if(eventNum="eventOne", tonumber(substr(tostring(sequence_number), -6)) - 1, tonumber(substr(tostring(sequence_number), -6))) | transaction commonSeq

Was really hoping that there was more of a function based approach I'm missing, rather than a rex-based one.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...