Solved: Working with dynamically named fields (extract)

jbmchuck · ‎03-04-2013

I have a script which runs every minute to extract information from squid logs. I'm not interested in actually indexing the data from squid (far too much data) so instead I'm indexing a single line every minute showing the response code statistics from the last minute, for example:

HTTP0:43 HTTP200:19 HTTP301:4 HTTP302:1 HTTP304:46 HTTP403:5 HTTP404:5

Note that the inclusion of codes can vary line by line.

Ultimately I'd like to generate total hits and percentage of hits for each status. I've gotten this far:

index=myindex sourcetype=squid | extract pairdelim=" ", kvdelim=":", auto=f | stats sum(HTTP*) | addtotals fieldname=TotalHits | rename sum(*) as *

which returns something like (contrived output - generally there will be several more fields, HTTP404, 5XX, etc)

HTTP0   HTTP200 HTTP206 HTTP301 TotalHits
4322    1234    777     555     6888

What I'd like to do is generate a percentage field for each of the HTTP* columns. I know that eval doesn't handle wildcards, so that doesn't appear to be an option. Is there a way to simply tell splunk to multiply/divide all columns matching a prefix by a value from another field??

martin_mueller · ‎03-07-2013

Using the http://splunk-base.splunk.com/apps/76026/scale-command you can do this:

... stats ... addtotals ... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" inverse=t | rename ...

View solution in original post

martin_mueller · ‎03-07-2013

Using the http://splunk-base.splunk.com/apps/76026/scale-command you can do this:

... stats ... addtotals ... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" inverse=t | rename ...

jonuwz · ‎03-04-2013

Oh my god. This is gold :

rename sum(*) as *

Working with dynamically named fields (extract)

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!