log1:1min:1;5min:1;60min:1;24min:1
log2:1min:1;5min:1;60min:1;24min:1
Total: 1min:2;5min:2;60min:2;24min:2
How to compute the Total line from the above two log lines? Confused which Aggregate function I need use as the sum-aggregation span across log statements, not with-in single log statement. Any Help is appreciated.
If you get the values extracted in fields this should be very easy to accomplish using the stats
command. For instance, to get the total of fields called 1min
, 5min
, 60min
and 24min
:
... | stats sum(1min),sum(5min),sum(60min),sum(24min)
...or just
... | stats sum(*min)
No, your regex is likely not matching. You should try out your regex in the interactive field extractor in Splunk, or on some external regex checker tool such as regexpal.com.
Hi Ayn,
Trying to add field extract to solve the above problem.
1min=1;5min=1;60min=1;24hr=1
In Add new field extraction screen entered below regex. Is this OK?
1min (?<1min_val>\d+);
After adding the above I have used the below which didn't give me any results.
index=main sourcetype="splunk-too_small" | stats sum(1min_val)
Please help on this.
No, the field
argument for rex
refers to what field it should read FROM (default is _raw
), not what field it should write. You need to read up on the syntax.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
As for the stats command, I'm not sure what you want to achieve when splitting by _time
. If you want to create a timechart, have a look at the timechart
command instead.
Hi Ayn,
Does something like below work? - Without Field extractions?
Can we use extract(1min) or rex as below?
ProcessService | rex field=1min (?
sum(oneval),sum(fiveval),sum(sixtyval),sum(tfval) by _time
Hi Ayn, Thanks for the response.
Not yet extracted into fields.
Currently I am writing a program which log these statements.
* I am trying to find out the best log format for Splunk to do this aggregation.
* Once written the best stat-aggregate function to get the Total line.
Do you have these values extracted into fields?