https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539867#M37000 <P>Hello,</P><P>&nbsp;</P><P>I have a data stream getting populated every 5 minutes as below. There are 100s of features in the data.</P><P>Feature: Rectagle<BR />Side: 4<BR />User: A<BR />Used:1<BR />Time: 1/25/2021 5:00:00<BR />Block:1</P><P>Feature: Rectagle<BR />Side: 4<BR />User: A<BR />Used:1<BR />Time: 1/25/2021 5:00:00<BR />Block:2</P><P>Feature: square<BR />Side: 4<BR />User: B<BR />Used:1<BR />Time: 1/25/2021 5:05:00<BR />Block:1</P><P>Feature: Square<BR />Side: 4<BR />User: B<BR />Used:1<BR />Time: 1/25/2021 5:05:00<BR />Block:2</P><P>I need to sum the side for each side field along with the used column</P><P>Something as below.</P><P>Feature: Rectangle</P><P>Side: 8</P><P>used:2</P><P>Time: 1/25/2021 5:00:00</P><P>&nbsp;</P><P>The problem I have is, I could not sum the side either it comes as total across all events (it can be 4 * number of times it access across the period I selected) or 4. I am searching for a period of last 24 hours.</P><P>I tried with this, but not giving right value.</P><P>| foreach feature*<BR />[ eval subtotal = subtotal + 'side']<BR />| stats max(subtotal) as TOTAL by _time</P><P>&nbsp;</P> Mon, 15 Feb 2021 07:01:35 GMT vivekkumarkk 2021-02-15T07:01:35Z https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539867#M37000 <P>Hello,</P><P>&nbsp;</P><P>I have a data stream getting populated every 5 minutes as below. There are 100s of features in the data.</P><P>Feature: Rectagle<BR />Side: 4<BR />User: A<BR />Used:1<BR />Time: 1/25/2021 5:00:00<BR />Block:1</P><P>Feature: Rectagle<BR />Side: 4<BR />User: A<BR />Used:1<BR />Time: 1/25/2021 5:00:00<BR />Block:2</P><P>Feature: square<BR />Side: 4<BR />User: B<BR />Used:1<BR />Time: 1/25/2021 5:05:00<BR />Block:1</P><P>Feature: Square<BR />Side: 4<BR />User: B<BR />Used:1<BR />Time: 1/25/2021 5:05:00<BR />Block:2</P><P>I need to sum the side for each side field along with the used column</P><P>Something as below.</P><P>Feature: Rectangle</P><P>Side: 8</P><P>used:2</P><P>Time: 1/25/2021 5:00:00</P><P>&nbsp;</P><P>The problem I have is, I could not sum the side either it comes as total across all events (it can be 4 * number of times it access across the period I selected) or 4. I am searching for a period of last 24 hours.</P><P>I tried with this, but not giving right value.</P><P>| foreach feature*<BR />[ eval subtotal = subtotal + 'side']<BR />| stats max(subtotal) as TOTAL by _time</P><P>&nbsp;</P> Mon, 15 Feb 2021 07:01:35 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539867#M37000 vivekkumarkk 2021-02-15T07:01:35Z https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539976#M37008 <P>Have you tried this?</P><LI-CODE lang="markup">... | stats sum(Side) as Side, sum(Used) as Used, first(Time) as Time by Feature</LI-CODE> Mon, 15 Feb 2021 15:05:58 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539976#M37008 richgalloway 2021-02-15T15:05:58Z https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539986#M37011 <P>My problem is, there are 2 block fields. The sum of Side should be only from 2 blocks. With the above query, its sums up all the side field.</P><P>The query must select field side for rectangle from each block for any user within the selected time and sum only the sum of sides (here it is 8&nbsp; &nbsp;) always.</P><P>It should not add another 4 if user B uses from Block 1 only.&nbsp;</P><P>&nbsp;</P><P>Thats why I tried with foreach.</P> Mon, 15 Feb 2021 16:05:06 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539986#M37011 vivekkumarkk 2021-02-15T16:05:06Z https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539993#M37012 <P>If I understand correctly, you want different sums when the user changes.&nbsp; That can be done with this modification.</P><LI-CODE lang="markup">... | stats sum(Side) as Side, first(Time) as Time by Feature, User</LI-CODE> Mon, 15 Feb 2021 16:33:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sum-specific-field-value-across-all-events/m-p/539993#M37012 richgalloway 2021-02-15T16:33:43Z