https://community.splunk.com/t5/Reporting/Add-values-together-for-report/m-p/77590#M1781 <P>I have a SYSLOG output from a netscreen. There are two fields in each record that contain a value (sent) and (rcvd). I have enclosed an example below. I want to create a bar chart that will show the sum of these two values for the top ten IP addresses in (dst)</P> <P>I have tried various syntaxes in the report command pipe * | timechart sum(sent) by dst </P> <UL> <LI>| timechart sum(sent+rcvd) by dst</LI> <LI>| timechart sum((sent)+(rcvd)) by dst</LI> <LI>| timechart sum((sum(sent)+(sum(rcvd)) by dst</LI> </UL> <P>But clearly I am missing something in the syntax</P> <BLOCKQUOTE> <P>ssg5-serial: NetScreen device_id=0162102007000604 [Root]system-notification-00257(traffic): start_time="2010-10-26 11:34:30" duration=4 policy_id=6 service=icmp proto=1 src zone=Untrust dst zone=Trust action=Permit sent=78 rcvd=78 src=212.21.121.89 dst=212.21.101.193 icmp type=8 src-xlated ip=212.21.121.89 dst-xlated ip=212.21.101.193 session_id=2607 reason=Close - RESP\x00</P> </BLOCKQUOTE> Tue, 26 Oct 2010 17:47:18 GMT Dragonnet 2010-10-26T17:47:18Z https://community.splunk.com/t5/Reporting/Add-values-together-for-report/m-p/77590#M1781 <P>I have a SYSLOG output from a netscreen. There are two fields in each record that contain a value (sent) and (rcvd). I have enclosed an example below. I want to create a bar chart that will show the sum of these two values for the top ten IP addresses in (dst)</P> <P>I have tried various syntaxes in the report command pipe * | timechart sum(sent) by dst </P> <UL> <LI>| timechart sum(sent+rcvd) by dst</LI> <LI>| timechart sum((sent)+(rcvd)) by dst</LI> <LI>| timechart sum((sum(sent)+(sum(rcvd)) by dst</LI> </UL> <P>But clearly I am missing something in the syntax</P> <BLOCKQUOTE> <P>ssg5-serial: NetScreen device_id=0162102007000604 [Root]system-notification-00257(traffic): start_time="2010-10-26 11:34:30" duration=4 policy_id=6 service=icmp proto=1 src zone=Untrust dst zone=Trust action=Permit sent=78 rcvd=78 src=212.21.121.89 dst=212.21.101.193 icmp type=8 src-xlated ip=212.21.121.89 dst-xlated ip=212.21.101.193 session_id=2607 reason=Close - RESP\x00</P> </BLOCKQUOTE> Tue, 26 Oct 2010 17:47:18 GMT https://community.splunk.com/t5/Reporting/Add-values-together-for-report/m-p/77590#M1781 Dragonnet 2010-10-26T17:47:18Z https://community.splunk.com/t5/Reporting/Add-values-together-for-report/m-p/77591#M1782 <P>One way...</P> <PRE><CODE> ... | timechart eval(sum(sent)+sum(rcvd)) by dst </CODE></PRE> Tue, 26 Oct 2010 18:11:52 GMT https://community.splunk.com/t5/Reporting/Add-values-together-for-report/m-p/77591#M1782 bwooden 2010-10-26T18:11:52Z