Hello Splunk Community,
So posted below is my query and results, i want to use this or improve it to make a report that creates a mean, mode and range with daily, monthly and year to date data. Also i need to eliminate some of the data, 0 values and a getHeldTotal and getSettleLaterTotal. I am thinking i may need to table this to break it up, but i am unsure if this would be best practice. I am trying to use the eval but has proven more complicated then my understanding will allow. I was hoping someone in the community might be able to help me with this.
Query:
index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "(?i)\\.AcquireInvoice (?P<settlement>.+)" | top 50 settlement
Results:
the Italicized numbers are the settlement amounts.
settlement count percent
(AcquireInvoice.foo :port) - getHeldTotal(): 0 139 23.361345
(AcquireInvoice.foo port - getSettleLaterTotal(): 0 93 15.630252
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2500* 54 9.07563
(AcquireInvoice.foo :port) - getSettleNowTotal(): *4500* 32 5.378151
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2000* 28 4.705882
(AcquireInvoice.foo :port) - getSettlementTotal(): *0* 24 4.033613
(AcquireInvoice.foo :port) - getSettleNowTotal(): *1000* 20 3.361345
(AcquireInvoice.foo :port) - getSettlementTotal(): *2500* 17 2.857143
(AcquireInvoice.foo :port) - getSettleNowTotal(): *4000* 16 2.689076
(AcquireInvoice.foo :port) - getSettleNowTotal(): *500* 13 2.184874
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2105* 12 2.016807
(AcquireInvoice.foo :port) - getSettlementTotal(): *4500* 12 2.016807
(AcquireInvoice.foo :port) - getSettlementTotal(): *2000* 12 2.016807
For Settlement field:
index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+)" | top 50 settlement
and for Settlement, Count, and Percent fields:
index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+).+?(?<Count>\d+).+?(?<Percent>.+)" | top 50 Settlement
Here is a permalink to the REGEX:
For Settlement field:
index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+)" | top 50 settlement
and for Settlement, Count, and Percent fields:
index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+).+?(?<Count>\d+).+?(?<Percent>.+)" | top 50 Settlement
Here is a permalink to the REGEX:
Median, Mode, etc. are all functions covered in stats:
http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Commonstatsfunctions
Read this: http://answers.splunk.com/answers/27052/how-to-compute-stats-mean-median-mode-over-a-frequency-table
Thanks dmaislin_splunk!
that cleared up the search results to be alot nicer, but my root problem is to make a report that creates a mean, mode and range with daily, monthly and year to date data. I assume i need to use eval, but i havent mastered it yet.
Thanks for the cleaner search!