Splunk 简明教程

Splunk - Calculated Fields

很多时候,我们需要对 Splunk 事件中已经存在的字段进行一些计算。我们还希望将这些计算的结果存储为一个新字段,以便将来可以由各种搜索引用。通过在 Splunk 搜索中使用计算字段的概念,可以实现这一点。

Many times, we will need to make some calculations on the fields that are already available in the Splunk events. We also want to store the result of these calculations as a new field to be referred later by various searches. This is made possible by using the concept of calculated fields in Splunk search.

最简单的示例是用星期中的前三个字符代替完整的星期名称。我们需要应用特定的 Splunk 函数来实现对字段的这种操作,并将新结果存储在新的字段名称下。

A simplest example is to show the first three characters of a week day instead of the complete day name. We need to apply certain Splunk function to achieve this manipulation of the field and store the new result under a new field name.

Example

Web_application 日志文件有两个字段,名为 bytes 和 date_wday。bytes 字段中的值是字节数。我们希望将此值显示为 GB。这需要将字段除以 1024 以获得 GB 值。我们需要将此计算应用于 bytes 字段。

The Web_application log file has two fields named bytes and date_wday. The value in the bytes field is the number of bytes. We want to display this value as GB. This will require the field to be divided by 1024 to get the GB value. We need to apply this calculation to the bytes field.

类似地,date_wday 显示星期中的完整名称。但我们只需显示前三个字符。

Similarly, the date_wday displays complete name of the week day. But we need to display only the first three characters.

这两个字段中的现有值显示在下图中:

The existing values in these two fields is shown in the image below −

calculated fields 1

Using the eval Function

要创建计算字段,请使用 eval 函数。此函数将计算结果存储在一个新字段中。我们将应用以下两个计算:

To create calculated field, we use the eval function. This function stores the result of the calculation in a new field. We are going to apply the below two calculations −

# divide the bytes with 1024 and store it as a field named byte_in_GB
Eval byte_in_GB = (bytes/1024)

# Extract the first 3 characters of the name of the day.
Eval short_day = substr(date_wday,1,3)

Adding New Fields

我们将上述创建的新字段添加到显示为搜索结果一部分的字段列表中。为此,选择 All fields 选项,并在新字段的名称前面打上勾选标记,如下所示:

We add new fields created above to the list of fields we display as part of the search result. To do this, we choose All fields options and tick check mark against the name of these new fields as shown in below image −

calculated fields 2

Displaying the calculated Fields

在选择上面的字段后,我们能够在搜索结果中看到计算字段,如下所示。搜索查询将计算字段显示如下所示:

After choosing the fields above, we are able to see the calculated fields in the search result as shown below. The search query displays the calculated fields as shown below −

calculated fields 3