Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to extract single count values from sistats summary data?

systemjack
Explorer
‎12-21-2012 11:26 AM

At the end of a long search that goes into a summary index we capture counts of events by site using sistats:

| sistats dc(site) by partner trackingid date _time

This results in a field in the summary like:

psrsvd_vm_site="106;3;109;4;113;6;120;3;123;3;"

which has pairs of site_id value and event counts for that site. We usually use dc() to get a count of sites per day for a given item and just get the total of the counts, but we have a need to get back out the count corresponding to a specific site.

We can get the list of sites with this:

| stats values(site) as sites count as totalcount by trackingid date partner

But I can't figure out how to get the individual counts out matched up to the corresponding site. Is there a way to tell that site 113 had 6 events? And we need it for all sites so we could eventually do an mvexpand or similar (so it can't be finding an index to a specific value).

Unfortunately since sistats delimits both the data point and the set with semi-colon most of the built in functions don't seem to help. I've been looking for something like an unzip (an inverse of mvzip?) or slice operation on a string or multivalue field to get pairs of values or every other one.

Thanks

Tags (2)
0 Karma
Reply

systemjack
Explorer
‎01-02-2013 11:50 AM

Okay, Think I figured out a way forward. I'm using rex to parse out every other item directly from the sistats generated field:

| eval parsed_sites=psrsvd_vm_site | rex field=parsed_sites mode=sed "s/(\d+);\d+;?/\1;/g"
| eval parsed_counts=psrsvd_vm_site | rex field=parsed_counts mode=sed "s/\d+;(\d+);?/\1;/g"

This gives me two fields holding each type of value in order. Now I should be able to manipulate those lists to get what I want. Probably by converting them to multivalued fields, getting the index of a site and looking up the count by index, etc.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...