Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to extract single count values from sistats summary data?

systemjack
Explorer
‎12-21-2012 11:26 AM

At the end of a long search that goes into a summary index we capture counts of events by site using sistats:

| sistats dc(site) by partner trackingid date _time

This results in a field in the summary like:

psrsvd_vm_site="106;3;109;4;113;6;120;3;123;3;"

which has pairs of site_id value and event counts for that site. We usually use dc() to get a count of sites per day for a given item and just get the total of the counts, but we have a need to get back out the count corresponding to a specific site.

We can get the list of sites with this:

| stats values(site) as sites count as totalcount by trackingid date partner

But I can't figure out how to get the individual counts out matched up to the corresponding site. Is there a way to tell that site 113 had 6 events? And we need it for all sites so we could eventually do an mvexpand or similar (so it can't be finding an index to a specific value).

Unfortunately since sistats delimits both the data point and the set with semi-colon most of the built in functions don't seem to help. I've been looking for something like an unzip (an inverse of mvzip?) or slice operation on a string or multivalue field to get pairs of values or every other one.

Thanks

Tags (2)
0 Karma
Reply

systemjack
Explorer
‎01-02-2013 11:50 AM

Okay, Think I figured out a way forward. I'm using rex to parse out every other item directly from the sistats generated field:

| eval parsed_sites=psrsvd_vm_site | rex field=parsed_sites mode=sed "s/(\d+);\d+;?/\1;/g"
| eval parsed_counts=psrsvd_vm_site | rex field=parsed_counts mode=sed "s/\d+;(\d+);?/\1;/g"

This gives me two fields holding each type of value in order. Now I should be able to manipulate those lists to get what I want. Probably by converting them to multivalued fields, getting the index of a site and looking up the count by index, etc.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...