topic Re: How to multiply a field count by the field value? in Splunk Search

How to multiply a field count by the field value?

ryan_t_gavin — Tue, 29 Sep 2020 20:27:57 GMT

We have a field whose values change called received_files. The values could be any integer. I need to take these values and multiply that integer by the count of the value.

This is best explained by an example:

received_files has the following field values: 1, 2, and 3. There are 100 results for "received_files=1", 50 results for "received_files=2", and 10 results for "received_files=3".

Based on this, I want to do this calculation: (1*100)+(2*50)+(3*10)=210. Then I want to put that 210 into a field called "total_files_received". The value of received_files changes all the time and could have 1, 2, and 3 one second, then it could have 350 in there the next.

How do I do this?

Re: How to multiply a field count by the field value?

somesoni2 — Tue, 17 Jul 2018 16:20:26 GMT

Try something like this

your current search fetching field received_files
|stats count by received_files
| eval total_files_received=received_files*count
| stats sum(total_files_received) as total_files_received

Re: How to multiply a field count by the field value?

ryan_t_gavin — Tue, 17 Jul 2018 18:01:11 GMT

I did NOT know you could just multiply it by "count". I've always used it as you did in stats, or by using count(). Thanks! That did exactly what I wanted.

Re: How to multiply a field count by the field value?

rlaul — Wed, 30 Sep 2020 01:45:27 GMT

Hi,

Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.

The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.

    "\(TOTAL_REC\)::"
    |rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
    |stats count  by Batch_Size
    | eval tc = Batch_Size*count
    | stats sum(tc) as tc

Multiplying "count" by a whole number returns expected result with three columns. When i replace 10 with Batch_Size, it gives only two columns : Batch_Size, count.

Not sure why Batch_Size is not working in the multiplication operation.

"\(TOTAL_REC\)::" 
 |rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))" 
 | convert num(Batch_Size) 
 | stats count BY Batch_Size
 | eval tc = (10 * count)

Splunk Enterprise Version: 7.2.6

Any help will be appreciated. Thanks, Ro

Re: How to multiply a field count by the field value?

rlaul — Tue, 13 Aug 2019 12:59:11 GMT

It did not work for me 😞 . Please see my comment above.

Re: How to multiply a field count by the field value?

somesoni2 — Tue, 13 Aug 2019 13:48:59 GMT

Can you post some sample raw data? I'm guessing field Batch_Size is not recognized as number (per your field extraction, you're extracting a space as well in its value) and the multiplication is failing. Give this a try as well

"\(TOTAL_REC\)::"
     |rex field=_raw "(\(TOTAL_REC\)::)\s(?P<Batch_Size>\d)"
     |stats count  by Batch_Size
     | eval tc = Batch_Size*count
     | stats sum(tc) as tc

Re: How to multiply a field count by the field value?

rlaul — Fri, 23 Aug 2019 15:29:19 GMT

Thank you somesoni2. That worked. I really appreciate your help. 🙂