topic Re: Combine the Sum of Two Fields in Splunk Search

Combine the Sum of Two Fields

bcarr12 — Thu, 19 Mar 2020 17:21:07 GMT

Hi all,

For a search similar to the following:
index=myindex "Search Term" NOT field=value source="mylog.log" | eval totalx=aCount+bCount | stats sum(totalx) by y | sort -sum(totalx)

Splunk returns exactly the data I am looking for. A table of sum(totalx) by y (of which there are around 5 different values of y). I have a request to combine the sum(totalx) values for 2 of the 5 values and treat them as one value but leave the rest unchanged. What would be the best way to accomplish this?

For instance, right now my search returns a table similar to this:
y sum(totalx)
1 10
2 20
3 30
4 40
5 50

I am essentially trying to create an additional field, let's call it 45, which represents the sum of 4 and 5 at all times. So instead, the data being visualized is:
y sum(totalx)
1 10
2 20
3 30
45 90

Thanks!

Re: Combine the Sum of Two Fields

richgalloway — Thu, 19 Mar 2020 17:28:22 GMT

Combine 4 and 5 before calling stats.

index=myindex "Search Term" NOT field=value source="mylog.log" 
| eval totalx=aCount+bCount, y=case(y=4 OR y=5, 45, 1==1, y) 
| stats sum(totalx) by y | sort -sum(totalx)

Re: Combine the Sum of Two Fields

bcarr12 — Thu, 19 Mar 2020 17:40:20 GMT

Hmm, this doesn't seem to do anything. Although I think it doesn't work because if I don't do stats I don't get the numerical values to combine. Stats is what causes the totalx by y to become available. Before I run stats y is just a text field=value pair that is non numerical if that makes sense?

Re: Combine the Sum of Two Fields

richgalloway — Thu, 19 Mar 2020 22:08:02 GMT

Field y must exist before stats or you'll get no results.
The case function in my answer is doing the combining. It doesn't need numeric values (if you have nonnumeric values, use quotation marks (y="d" OR y="e", "de")). It produces data like this:

Then stats can do the sums to produce