Solved: eval and best practice question

apalen · ‎06-04-2014

Hello Splunk Community,

So posted below is my query and results, i want to use this or improve it to make a report that creates a mean, mode and range with daily, monthly and year to date data. Also i need to eliminate some of the data, 0 values and a getHeldTotal and getSettleLaterTotal. I am thinking i may need to table this to break it up, but i am unsure if this would be best practice. I am trying to use the eval but has proven more complicated then my understanding will allow. I was hoping someone in the community might be able to help me with this.

Query:

 index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "(?i)\\.AcquireInvoice    (?P<settlement>.+)" | top 50 settlement

Results:
the Italicized numbers are the settlement amounts.
settlement count percent

(AcquireInvoice.foo :port) - getHeldTotal(): 0  139 23.361345
(AcquireInvoice.foo port - getSettleLaterTotal(): 0 93  15.630252
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2500*    54  9.07563
(AcquireInvoice.foo :port) - getSettleNowTotal(): *4500*    32  5.378151
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2000*    28  4.705882
(AcquireInvoice.foo :port) - getSettlementTotal(): *0*  24  4.033613
(AcquireInvoice.foo :port) - getSettleNowTotal(): *1000*    20  3.361345
(AcquireInvoice.foo :port) - getSettlementTotal(): *2500*   17  2.857143
(AcquireInvoice.foo :port) - getSettleNowTotal(): *4000*    16  2.689076
(AcquireInvoice.foo :port) - getSettleNowTotal(): *500* 13  2.184874
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2105*    12  2.016807
(AcquireInvoice.foo :port) - getSettlementTotal(): *4500*   12  2.016807
(AcquireInvoice.foo :port) - getSettlementTotal(): *2000*   12  2.016807

dmaislin_splunk · ‎06-04-2014

For Settlement field:

index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+)" | top 50 settlement

and for Settlement, Count, and Percent fields:

 index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+).+?(?<Count>\d+).+?(?<Percent>.+)" | top 50 Settlement

Here is a permalink to the REGEX:

http://regex101.com/r/tE7jT0

View solution in original post

dmaislin_splunk · ‎06-04-2014

For Settlement field:

index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+)" | top 50 settlement

and for Settlement, Count, and Percent fields:

 index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+).+?(?<Count>\d+).+?(?<Percent>.+)" | top 50 Settlement

Here is a permalink to the REGEX:

http://regex101.com/r/tE7jT0

dmaislin_splunk · ‎06-04-2014

Median, Mode, etc. are all functions covered in stats:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Commonstatsfunctions

Read this: http://answers.splunk.com/answers/27052/how-to-compute-stats-mean-median-mode-over-a-frequency-table

apalen · ‎06-04-2014

Thanks dmaislin_splunk!
that cleared up the search results to be alot nicer, but my root problem is to make a report that creates a mean, mode and range with daily, monthly and year to date data. I assume i need to use eval, but i havent mastered it yet.

Thanks for the cleaner search!

eval and best practice question

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!