- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Sort a series of values for each _raw
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sort a series of values for each _raw
Hello,
Not sure how to start this one. In one of our app logs we have a series of latency numbers which for speed and overhead CPU usage are randomly inserted into our log. I am working on this "random insert" problem but for now i thought i would try to solve this via my search. Problem is i am not exactly sure how to start.
So each position of the latency number corresponds to a step in the process.
Example:
Position 1 - request header read
Position 2 - request header sent
Position 3 - front side transform begun
.
.
.
Position 16 - back side connection completed
Example of _raw for log entry:
So what i am struggling with is for each event or _raw entry for sorting the values from smallest to largest to figure out their appropriate position.
so above would turn into:
Latency: 0 0 1 12 14 14 14 14 14 54 55 55 61 61 61 61
from this i would understand that the 12 positions is 55 and the 16th is 61 which i can then chart etc.
I am thinking i could do this by an eval statement or maybe eventstats could help out? Let me know your thoughts, thanks for any help, Ethan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
yoursearchhere
| eval uniqueID=index + "__" + _cd+"__" + splunk_server
| makemv delim=" " Latency
| mvexpand Latency
| sort uniqueID Latency
| mvcombine Latency
with thanks to @sideview for reminding me how to create a uniqueId for an event in Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad, so after some playing it seems as though when you access a MV field via mvindex it actually sorts the array first then gives you back the value of the that particular index. Exmaple
MYmvfield might display: 1324
but if you do eval 2ndIndex = mvindex(MYmvfield,1) it will return 2
this is because it sorts the values to be 1234 then gives you the value of the index you are asking for.
My testing shows this, just wanted to make sure i am tracking? Thanks, Ethan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent, so i was on the same path. I believe the answer is i was trying to sort by event. In other words when i make my MV Field i get back below, the problem is until i sort or order the MV field i don't know which number is really in the index of 16 for an example. For below the 16th index would return 31, but it should be 190 (largest value). So basically if i can sort the MV field i can then start to apply the cool logic you had above. Hopefully that makes sense, thanks for you help, Ethan
rexLatency
1
0
31
0
31
31
26
0
177
190
179
190
190
185
179
31
31
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
After getting the value from Latency.
Just try this:
...|eval Latency=split(Latency," ")|eval l1=mvindex(Latency,11)|eval l2=mvindex(Latency,15)|eval l=l1." ".l2|eval Latency=split(l," ")|mvexpand Latency|sort - Latency
But i am not sure whether you want to sort it per event or by time.
Just a thought as it's very messy
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
