Performing basic calculations, eval statement and ...

bcatwork · ‎05-28-2015

I need some assistance in calculating latency values. I have many hosts, logging transformation latency in different ways. Some of these events contain a field called transformation_latency (host=barfoo1, host=barfoo2), the others contain total_latency and backend_latency (host=foobar01, host=foobar02, foobar03))

The logic works as follows: If host=foobar*, transformation_latency=(total_latency - backend_latency)

my stats function looks like |stats avg(transformation_latency)

I have found using eval statements, I cannot use a wildcard. I am seeking a way to perform this calculation and assign a transformation_latency if one is not present in the event.

I have tried <pre>eval field=if(isnull(field),elsefield,field) </pre>
But, as we continue to add hosts, logs will differ and I must more implicitly state that this specific calculation applies to hosts like %foobar0% only

Thanks!

jacobwilkins · ‎05-28-2015

This is not a foreach usecase.

This is actually much simpler. Before your stats command, do this:

| eval transformation_latency=coalesce(transformation_latency, total_latency-backend)

The name of the host doesn't matter. The presence or absence your transformation_latency field is all that matters. If it is there, use it. If it isn't, calculate it.

bcatwork · ‎05-29-2015

So this works for my current state. However, I will need to perform a different calculation based on host parameters in the near future that will not handle a null value for transformation_latency the same way as above.

To be more specific, I calculate backend_latency using the addtotal commands for iterative backend calls, but I will need the max backend_latency* for parallel calls. Ive found I need to use the coalesce function prior to the addtotal command to have null values handled properly. So how can I state, use (total_latency-backend_latency) if host=xyz, use
(total_latency-max_backend_latency)) if host=abc. Any suggestions? Thanks!

jacobwilkins · ‎05-29-2015

Well, once again, is max_backend_latency null in cases where you need to use backend_latency? If so, same trick. For clarity, we'll converge them to a 3rd field.

 | eval my_backend_latency=coalesce(max_backend_latency,backend_latency)
 | eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)

If you really have your heart set on doing conditionals based on host, which I'm steering you away from because that kind of procedural-think usually leads to unnecessary complexity, I'll show you how.

| eval my_backend_latency=case(searchmatch(host=xyz*) , backend_latency, searchmatch(host=abc*), max_backend_latency)
| eval transformation_latency=coalesce(transformation_latency, total_latency-my_backend_latency)

You could also use if instead of case if you only had 2 conditions. You could also use match instead of searchmatch if you like regex better.

You should study this: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions

bcatwork · ‎05-28-2015

I have checked the examples. This seems like it will help. How can I explicitly state the host value using a wildcard rather than just a wildcard field?

This does not work,
foreach host=foobar* [eval transformation_latency=total_latency-backend]

I have already initialized all variables by the time of the foreach statement. I need to perform this calculation dependent on host value.

Thank your for your time and prompt assistance!

Performing basic calculations, eval statement and wildcard

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!