Databases Reference
In-Depth Information
Just for completeness, to accomplish this command using built-in commands,
you could do something like the following code:
* | rex max_match=1000 "\W*(?<word>[a-zA-Z]+)\W*"
| eval id=1 | accum id | fields word id
| eventstats count
| mvexpand word
| eval word=lower(word)
| stats max(count) as event_count
dc(id) as events_with_word
count as word_count
by word
| sort -events_with_word
| eval percent_events_containing =
round(events_with_word/event_count*100.0,2)
| rename word_count as count
events_with_word as "Events with word"
event_count as "Event count"
percent_events_containing as "Percent of events with word"
| table count "Events with word" word
"Event count" "Percent of events with word"
There is probably a more efficient way to do this work using built-in commands,
but this is what comes to mind initially.
Generating data
There are times when you want to create events out of thin air. These events could
come from a database query, a web service, or simply some code that generates data
useful in a query. Just to illustrate the plumbing, we will make a random number
generator. You can find this example in
ImplementingSplunkExtendingExamples/
bin/random_generator.py
:
import splunk.Intersplunk as si
from random import randint
keywords, options = si.getKeywordsAndOptions()
def getInt(options, field, default):
try:
return int(options.get(field, default))
except Exception, e:
#raise a user friendly exception
raise Exception("%s must be an integer" % field)
try:
min = getInt(options, 'min', 0)
Search WWH ::
Custom Search