Splunk Search

evaluate mathematical expression in string

knielsen
Contributor

Hi,

Is there a fast way of evaluating the result a string like "42 + 23" as a new field?

Background: a log file that contains answer time and a list of lengths. I want to calculate the p98(answer time) by summed lengths of events. Right now I'm doing the eval id=_cd+splunk_server | makemv delim="," rl_list | eventstats sum(rl_list) as total_rl by id trick, but I'm wondering if there is a better solution to get a sum of list elements per event.

Thanks,
Kai.

Tags (1)
0 Karma

knielsen
Contributor

Hmm, I just played with

base search | makemv delim="," rl | stats sum(rl) as total values(answertime) as answertime values(whateverIwanttokeep) as whatever by _raw | fields - _raw

That might be faster than my eventstats approach.

A simple function to evaluate a string with math in it does not seem to exist. 🙂

0 Karma

niketn
Legend

If you do not want all fields , but only specific one after stats, stats(transforming) would be better than eventstats(streaming) command. You should covert your own answer and accept the same.

You could have used map function in my example to evaluate expression for each field passed on through map command but it would be too expensive and may hit limit as well.

Also as far as a command/function not existing at present, you can definitely code Custom Commands using Python if you have the expertise.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@knielsen, your query, data and question seem to be confusing. Can you add more details? Whatis the field name of string that has data like "42+23"? Based on what you have asked in your question if you just want the sum of a string expression, you would need to create a return like below

| makeresults 
| eval result= 
    [| makeresults 
    | eval data="43+23" 
    | return $data ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

knielsen
Contributor

Hmm, I can't make your result work in a real search. I don't have the value data in inner search right?

Ok, sometimes I speak gibberish. Back: my events have a string field, let's keep it short, "rl". This contains either one integer or a list of comma separated integers. I want to calculate the total of that list for each event and keep other fields of the event as well.

Since I can convert the comma separated "1,2,3,4,5..." with rex or replace into "1+2+3+4+5+6...." I was wondering if there is a simple way to feed that string into a function to get the total.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...