All Apps and Add-ons

eval and best practice question

apalen
Path Finder

Hello Splunk Community,

So posted below is my query and results, i want to use this or improve it to make a report that creates a mean, mode and range with daily, monthly and year to date data. Also i need to eliminate some of the data, 0 values and a getHeldTotal and getSettleLaterTotal. I am thinking i may need to table this to break it up, but i am unsure if this would be best practice. I am trying to use the eval but has proven more complicated then my understanding will allow. I was hoping someone in the community might be able to help me with this.

Query:

 index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "(?i)\\.AcquireInvoice    (?P<settlement>.+)" | top 50 settlement

Results:
the Italicized numbers are the settlement amounts.
settlement count percent

(AcquireInvoice.foo :port) - getHeldTotal(): 0  139 23.361345
(AcquireInvoice.foo port - getSettleLaterTotal(): 0 93  15.630252
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2500*    54  9.07563
(AcquireInvoice.foo :port) - getSettleNowTotal(): *4500*    32  5.378151
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2000*    28  4.705882
(AcquireInvoice.foo :port) - getSettlementTotal(): *0*  24  4.033613
(AcquireInvoice.foo :port) - getSettleNowTotal(): *1000*    20  3.361345
(AcquireInvoice.foo :port) - getSettlementTotal(): *2500*   17  2.857143
(AcquireInvoice.foo :port) - getSettleNowTotal(): *4000*    16  2.689076
(AcquireInvoice.foo :port) - getSettleNowTotal(): *500* 13  2.184874
(AcquireInvoice.foo :port) - getSettleNowTotal(): *2105*    12  2.016807
(AcquireInvoice.foo :port) - getSettlementTotal(): *4500*   12  2.016807
(AcquireInvoice.foo :port) - getSettlementTotal(): *2000*   12  2.016807
0 Karma
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

For Settlement field:

index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+)" | top 50 settlement

and for Settlement, Count, and Percent fields:

 index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+).+?(?<Count>\d+).+?(?<Percent>.+)" | top 50 Settlement

Here is a permalink to the REGEX:

http://regex101.com/r/tE7jT0

View solution in original post

dmaislin_splunk
Splunk Employee
Splunk Employee

For Settlement field:

index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+)" | top 50 settlement

and for Settlement, Count, and Percent fields:

 index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<Settlement>\d+).+?(?<Count>\d+).+?(?<Percent>.+)" | top 50 Settlement

Here is a permalink to the REGEX:

http://regex101.com/r/tE7jT0

apalen
Path Finder

Thanks dmaislin_splunk!
that cleared up the search results to be alot nicer, but my root problem is to make a report that creates a mean, mode and range with daily, monthly and year to date data. I assume i need to use eval, but i havent mastered it yet.

Thanks for the cleaner search!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...