Reporting

Working with dynamically named fields (extract)

jbmchuck
Engager

I have a script which runs every minute to extract information from squid logs. I'm not interested in actually indexing the data from squid (far too much data) so instead I'm indexing a single line every minute showing the response code statistics from the last minute, for example:

HTTP0:43 HTTP200:19 HTTP301:4 HTTP302:1 HTTP304:46 HTTP403:5 HTTP404:5

Note that the inclusion of codes can vary line by line.

Ultimately I'd like to generate total hits and percentage of hits for each status. I've gotten this far:

index=myindex sourcetype=squid | extract pairdelim=" ", kvdelim=":", auto=f | stats sum(HTTP*) | addtotals fieldname=TotalHits | rename sum(*) as *

which returns something like (contrived output - generally there will be several more fields, HTTP404, 5XX, etc)

HTTP0   HTTP200 HTTP206 HTTP301 TotalHits
4322    1234    777     555     6888

What I'd like to do is generate a percentage field for each of the HTTP* columns. I know that eval doesn't handle wildcards, so that doesn't appear to be an option. Is there a way to simply tell splunk to multiply/divide all columns matching a prefix by a value from another field??

Tags (1)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Using the http://splunk-base.splunk.com/apps/76026/scale-command you can do this:

... stats ... addtotals ... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" inverse=t | rename ...

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Using the http://splunk-base.splunk.com/apps/76026/scale-command you can do this:

... stats ... addtotals ... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" inverse=t | rename ...
0 Karma

jonuwz
Influencer

Oh my god. This is gold :

rename sum(*) as *

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...