I have a script which runs every minute to extract information from squid logs. I'm not interested in actually indexing the data from squid (far too much data) so instead I'm indexing a single line every minute showing the response code statistics from the last minute, for example:
HTTP0:43 HTTP200:19 HTTP301:4 HTTP302:1 HTTP304:46 HTTP403:5 HTTP404:5
Note that the inclusion of codes can vary line by line.
Ultimately I'd like to generate total hits and percentage of hits for each status. I've gotten this far:
index=myindex sourcetype=squid | extract pairdelim=" ", kvdelim=":", auto=f | stats sum(HTTP*) | addtotals fieldname=TotalHits | rename sum(*) as *
which returns something like (contrived output - generally there will be several more fields, HTTP404, 5XX, etc)
HTTP0 HTTP200 HTTP206 HTTP301 TotalHits
4322 1234 777 555 6888
What I'd like to do is generate a percentage field for each of the HTTP* columns. I know that eval doesn't handle wildcards, so that doesn't appear to be an option. Is there a way to simply tell splunk to multiply/divide all columns matching a prefix by a value from another field??
Using the http://splunk-base.splunk.com/apps/76026/scale-command you can do this:
... stats ... addtotals ... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" inverse=t | rename ...
Using the http://splunk-base.splunk.com/apps/76026/scale-command you can do this:
... stats ... addtotals ... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" inverse=t | rename ...
Oh my god. This is gold :
rename sum(*) as *