Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Very large number math

craigkleen
Communicator
‎05-14-2019 02:04 PM

I have a log file with a very large number in it, it's a sequence number, and doesn't seem to have anything to do with time, they're all unique. They look like:

sequence_number
6675670249450679850
6675670249450679847
6675670249450679801
6675670249450679800
6675670249450679653
6675670249450679652
6675670249450679645
6675670249450679643
6675670249450679642
6675670249450679523
6675670249450679522

There's a relationship between logs when the numbers differ by 1, but the logs contain different information. I'm trying to do a transaction to group these lines, but to get "sequence_number - 1", Splunk seems to round horribly. I only really need to compare the least significant digits, so I have a workaround to create a field based on data in the higher number with:

| eval subSeq=tonumber(substr(tostring(sequence_number), -6)), firstSeq=subSeq - 1

And something similar to the other log type. But, is there a better way?

Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎05-14-2019 02:26 PM

Another solution is to get a "shorter ID" and calculations based on that

Example

|makeresults
| eval sequence_number="6675670249450679850"
| rex field=sequence_number "(?<subSeq>\w{5})$"
| eval firstSeq=subSeq - 1
| table sequence_number,subSeq,firstSeq
0 Karma
Reply

craigkleen
Communicator
‎05-14-2019 02:47 PM

Yeah, that gets me to the same place. But gets a little unwieldy in my use case. To expand my original data with an example, it's like:

eventNum,Data,sequence_number
eventOne,origData,6675670249450679850
eventOne,origData,6675670249450679847
eventOne,origData,6675670249450679801
eventTwo,extradata,6675670249450679800
eventOne,origData,6675670249450679653
eventTwo,extradata,6675670249450679652
eventOne,origData,6675670249450679645
eventOne,origData,6675670249450679643
eventTwo,extradata,6675670249450679642
eventOne,origData,6675670249450679523
eventTwo,extradata,6675670249450679522

Where, I'm trying to add the fields in "extraData" to the fields in "origData", when the only thing I have coupling this data is this sequence_number that's off by one.

So, it seems shorter use a single statement like:

| eval commonSeq=if(eventNum="eventOne", tonumber(substr(tostring(sequence_number), -6)) - 1, tonumber(substr(tostring(sequence_number), -6))) | transaction commonSeq

Was really hoping that there was more of a function based approach I'm missing, rather than a rex-based one.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...