So it turns out this is not possible with Splunk as the results are passed from pipe through to the next pipe. I was trying to have the results from one events calculations and evals effect the results of the next event and Splunks searches just dont work this way.
I ended up using this python script and it works perfectly.
# Copyright (C) 2005-2009 Splunk Inc. All Rights Reserved. Version 3.0
import csv
import sys
import splunk.Intersplunk
import string
import datetime
# open logfile
f = open('/tmp/distribution-calc.log', 'w+')
f.write('Starting\n')
f.write('argv length ' + str(len(sys.argv)) + '\n')
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
if isgetinfo:
splunk.Intersplunk.outputInfo(False, False, True, False, None)
sys.exit()
try:
# get results from Splunk
f.write('Getting results from Splunk\n')
results = splunk.Intersplunk.readResults(None, None, True)
f.write('Success\n')
f.write('Size of resultset' + str(len(results)) + '\n')
# zero out runningTotal
runningTotal = 0
# loop through all results
for i in range(len(results)):
monthlyCost = (float(results[i]['annualCost']) - runningTotal) / float(results[i]['daysLeftInYear']) * float(results[i]['daysInMonth'])
runningTotal = runningTotal + monthlyCost
results[i]['monthlyCost'] = monthlyCost
results[i]['paidToDate'] = runningTotal
f.close()
splunk.Intersplunk.outputResults(results)
except Exception, e:
splunk.Intersplunk.generateErrorResults("Unhandled exception: %s" % (e,))
... View more