Splunk Search

substraction: | eval field1=mvfilter(match(field, "OUT$")) <-substract-> | eval field1=mvfilter(match(field, "IN$"))

knitz
Explorer

Hello Community,

I evaluate the values of a single field which comes with values such as: OUT; IN; DENIED and can get counters for each of those values.
Now I want to subtraction "OUT" minus "IN" ( or maybe even minus "DENIED")

index="application-license" sourcetype=application License_User_device=* License_feature_status=* License_user=*
| fields _time,License_user,License_User_device, License_feature_status,License_feature,tag,eventtype,
| eval User=(License_user)

| eval LicenseTaken-OUT=mvfilter(match(License_feature_status, "OUT$"))
| eval LicenseTaken-IN=mvfilter(match(License_feature_status, "IN$"))
| eval LicenseTaken-DENIED=mvfilter(match(License_feature_status, "DENIED$"))
| eval LicenseTaken=(License_feature_status)

| eval LicenseTaken-AVG=mvfilter(match(License_feature_status, "OUT$") OR match(License_feature_status, "IN$") )
| eval License_feature=(License_feature)

| eval Time=strftime(_time, "%d-%m-%Y %H:%M:%S")

| bucket Time span=100d

| timechart count(LicenseTaken-OUT) as "Application-LicenseTaken(OUT)" count(LicenseTaken-IN) as "Application-LicenseTaken(IN)" count(LicenseTaken-DENIED) as "Application-License-DENIED" count(LicenseTaken) as "Application-License Taken(sum)" count(LicenseTaken-AVG) as "License_avg" | predict License_avg algorithm=LLT upper40=high lower40=low future_timespan=45 holdback=3

in above sample ... I like to implement:
| eval LicenseTaken=(License_feature_status) - | eval field1=mvfilter(match(field, "IN$"))

or

.... mvfilter(match(License_feature_status, "OUT$")) MINUS mvfilter(match(License_feature_status, "IN$"))

Field substraction wasn't working; turned back always 0 (zero)

Any ideas?
thanks in advance

Kai

Labels (1)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion

UPDATE:

index="application-license" sourcetype=application License_User_device="*" License_feature_status="*" License_user="*"
| fields _time,License_user,License_User_device, License_feature_status,License_feature,tag,eventtype,
| rex max_match=0 field=License_fueature_status "\b(?<status>\w+$)"
| timechart span=1d count by status
| streamstats sum(OUT) as sOUT sum(IN) as sIN
| eval LicenseInUse=sOUT - sIN
| fields - s*
| outputlookup Minitab-Test-Calculation.csv 

I see, How about this?

View solution in original post

0 Karma

knitz
Explorer

Hello,

and thanks again.

Unfortunately above suggestion doesn't work for me.... but it gave me more possible ideas how to handle the case.

(I adjusted as per below)
index="minitab-license" sourcetype=minitab License_User_device=* License_feature_status=* License_user=*
| rex max_match=0 field=License_feature_status "\b(?\w+$)"
| timechart span=1d count by status
| eventstats
,count(status="OUT") as "LicenseTaken_OUT"
,count(status="IN") as "LicenseTaken_IN"
,count(status="DENIED") as "LicenseTaken_DENIED"
| eval LicenseInUse=OUT - IN
| outputlookup Minitab-Test-Calculation.csv (export --just to see results)


So far so good

In above case I try to count "licenses" which are given "OUT" & taken back "IN"

So start with counter "0" --> "OUT or IN"

  1. request comes at sometime on 2019-12-21 and takes 2 licenses "OUT" and it counts "license in use as per formula correct 2
  2. request comes at sometime on 2019-12-22 and it takes 18 licenses "OUT" / same time (due to span=1d) it returns 1 license "IN" it counts "license in use as per formula correct 17 (in that row) .... but I am missing my "counted 2 licenses out of the first request

so would it be possible to carry on the previous result PLUS the | eval LicenseInUse=OUT - IN into another column

alt text

0 Karma

to4kawa
Ultra Champion

Hi, @knitz
my answer is updated

0 Karma

to4kawa
Ultra Champion

UPDATE:

index="application-license" sourcetype=application License_User_device="*" License_feature_status="*" License_user="*"
| fields _time,License_user,License_User_device, License_feature_status,License_feature,tag,eventtype,
| rex max_match=0 field=License_fueature_status "\b(?<status>\w+$)"
| timechart span=1d count by status
| streamstats sum(OUT) as sOUT sum(IN) as sIN
| eval LicenseInUse=sOUT - sIN
| fields - s*
| outputlookup Minitab-Test-Calculation.csv 

I see, How about this?

0 Karma

knitz
Explorer

Hello,

and thank you very much for your prompt response.

Unfortunately above suggestion doesn't work for me.... but it gave me more possible ideas how to handle the case.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...