I have event like
_time host1=1 host2=10 host3=20
_time host1=2 host3=12 host3=30
The number of fields is not defined, I only know they begin with host*
Is there a way to make an | eval sum=sum(host*) ?
In fact each host value is a percentage. And I would like to compute a 100% value from all the fields together :
...| eval sum=sum(host*) | eval nbfields=nbfields(host*) | eval usage=sum/nbfields
(I don't know if there is a nbfields like function
Try this
yoursearchhere
| addtotals host* fieldname=hostTotal
| eval fieldCount = 0
| foreach host* [ eval fieldCount = fieldCount + 1 ]
| eval usage = hostTotal / fieldCount
Another option-
your base search | rex max_match=0 "host[0-9]+=(?<HostValue>[^ ]+)" | eval fieldCount=mvcount(HostValue) | addtotals host* fieldname=hostTotal | eval avgHostValue=hostTotal/fieldCount
Thank you, that solution is very interesting too, I'll try both to see which runs quicker.
addtotals served my use case, thanks 🙂
Try this
yoursearchhere
| addtotals host* fieldname=hostTotal
| eval fieldCount = 0
| foreach host* [ eval fieldCount = fieldCount + 1 ]
| eval usage = hostTotal / fieldCount
You may want to look at addtotals command. This will only work if the host* fields are the only numeric fields in your events.
Hope this helps