https://community.splunk.com/t5/Splunk-Search/List-sum-of-fields-across-events/m-p/56506#M13847 <PRE><CODE>... | stats sum(qs_*) | transpose </CODE></PRE> <P>should do it.</P> Thu, 23 Sep 2010 08:18:54 GMT gkanapathy 2010-09-23T08:18:54Z https://community.splunk.com/t5/Splunk-Search/List-sum-of-fields-across-events/m-p/56505#M13846 <P>This seems like it would be easy. Maybe it is, and I'm being thick today. <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> <P>Log lines look like</P> <PRE><CODE>... server1 qs_queue1=50 qs_queue3=60 qs_queue10=100 ... server2 qs_queue4=50 qs_queue6=10 qs_queue10=150 ... server3 qs_queue1=20 qs_queue4=70 qs_queue3=150 </CODE></PRE> <P>I want to create a chart that will list each distinct qs_* field in rows with the sum of all values for that particular qs_ field in the searched time frame listed next to it:</P> <PRE><CODE>qs_queue10 250 qs_queue1 70 qs_queue4 120 </CODE></PRE> <P>... etc.</P> <P>The chart command</P> <PRE><CODE>... | chart sum(qs_*) </CODE></PRE> <P>charts in the wrong orientation in 2 rows, with the qs_ fields along the top row, and their values in the 2nd row. Same data being displayed, but in a far less presentable way.</P> <P>TIA, jon</P> Thu, 23 Sep 2010 07:59:12 GMT https://community.splunk.com/t5/Splunk-Search/List-sum-of-fields-across-events/m-p/56505#M13846 twinspop 2010-09-23T07:59:12Z https://community.splunk.com/t5/Splunk-Search/List-sum-of-fields-across-events/m-p/56506#M13847 <PRE><CODE>... | stats sum(qs_*) | transpose </CODE></PRE> <P>should do it.</P> Thu, 23 Sep 2010 08:18:54 GMT https://community.splunk.com/t5/Splunk-Search/List-sum-of-fields-across-events/m-p/56506#M13847 gkanapathy 2010-09-23T08:18:54Z https://community.splunk.com/t5/Splunk-Search/List-sum-of-fields-across-events/m-p/56507#M13848 <P>Crikey, should have found that. Thanks!</P> Thu, 23 Sep 2010 08:39:50 GMT https://community.splunk.com/t5/Splunk-Search/List-sum-of-fields-across-events/m-p/56507#M13848 twinspop 2010-09-23T08:39:50Z