https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547978#M155389 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233446">@yuming1127</a>&nbsp;</P><P>There's something odd in your SPL</P><P>In the eval line you are adding the following <STRONG>numbers</STRONG> together</P><LI-CODE lang="markup">| eval effort=exact(21+31+61+1103+7306+7505+15105+15106+15122)</LI-CODE><P>so here effort evaluates to the number 61360</P><P><FONT color="#FF0000">BUT <FONT color="#000000">in this statement&nbsp;</FONT></FONT></P><LI-CODE lang="markup">| table tag,effort,16910,21,31,61,1103,7306,7505,15105,15106,15122</LI-CODE><P>you are using these 'numbers' as fields and in your image they are actually field names containing only numbers.</P><P>So, the problem is that your eval statement is wrong in that it is adding up numbers not fields. In order to treat those fields as fields not numbers, you need to wrap them in single quotes, '. So your eval should be</P><LI-CODE lang="markup">| eval effort=('21'+'31'+'61'+'1103'+'7306'+'7505'+'15105'+'15106'+'15122')</LI-CODE><P><FONT color="#FF0000">BUT</FONT> that will not give you your result for all rows, as the '21' field in row 1 in your example has no value, so will make 'effort' have no value.</P><P>You should use addtotals as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;suggests and that will handle ALL fields or just the ones you specify and also handle the null value case.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 15 Apr 2021 06:14:52 GMT bowesmana 2021-04-15T06:14:52Z https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547824#M155347 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yuming1127_1-1618371569128.png" style="width: 454px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13755i29167F93D1DD3217/image-dimensions/454x184?v=v2" width="454" height="184" role="button" title="yuming1127_1-1618371569128.png" alt="yuming1127_1-1618371569128.png" /></span></P><P class="lia-align-left">command:</P><P class="lia-align-left">search....</P><P class="lia-align-left">| eval effort=exact(21+31+61+1103+7306+7505+15105+15106+15122)<BR />| table tag,effort,16910,21,31,61,1103,7306,7505,15105,15106,15122<BR /><BR /></P><P>how can i get effort = sum of field in same row instead of overall sum.</P><P>expected output:</P><P>effort</P><P>4</P><P>2</P><P>2</P><P>4</P><P>4</P><P>4</P> Wed, 14 Apr 2021 03:45:02 GMT https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547824#M155347 yuming1127 2021-04-14T03:45:02Z https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547828#M155349 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233446">@yuming1127</a>,</P><P>You can use addtotals command;</P><LI-CODE lang="markup">| eval effort=exact(21+31+61+1103+7306+7505+15105+15106+15122) | table tag,effort,16910,21,31,61,1103,7306,7505,15105,15106,15122 | addtotals</LI-CODE><P>&nbsp;</P> Wed, 14 Apr 2021 04:13:27 GMT https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547828#M155349 scelikok 2021-04-14T04:13:27Z https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547832#M155351 <P>Great one, really appreciate your solution. Quick and easy</P> Wed, 14 Apr 2021 04:33:45 GMT https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547832#M155351 yuming1127 2021-04-14T04:33:45Z https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547978#M155389 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233446">@yuming1127</a>&nbsp;</P><P>There's something odd in your SPL</P><P>In the eval line you are adding the following <STRONG>numbers</STRONG> together</P><LI-CODE lang="markup">| eval effort=exact(21+31+61+1103+7306+7505+15105+15106+15122)</LI-CODE><P>so here effort evaluates to the number 61360</P><P><FONT color="#FF0000">BUT <FONT color="#000000">in this statement&nbsp;</FONT></FONT></P><LI-CODE lang="markup">| table tag,effort,16910,21,31,61,1103,7306,7505,15105,15106,15122</LI-CODE><P>you are using these 'numbers' as fields and in your image they are actually field names containing only numbers.</P><P>So, the problem is that your eval statement is wrong in that it is adding up numbers not fields. In order to treat those fields as fields not numbers, you need to wrap them in single quotes, '. So your eval should be</P><LI-CODE lang="markup">| eval effort=('21'+'31'+'61'+'1103'+'7306'+'7505'+'15105'+'15106'+'15122')</LI-CODE><P><FONT color="#FF0000">BUT</FONT> that will not give you your result for all rows, as the '21' field in row 1 in your example has no value, so will make 'effort' have no value.</P><P>You should use addtotals as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;suggests and that will handle ALL fields or just the ones you specify and also handle the null value case.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 15 Apr 2021 06:14:52 GMT https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/547978#M155389 bowesmana 2021-04-15T06:14:52Z https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/548735#M155673 <P>ya, found a way to replace the null value with 0 and follow up with eval function, that worked too. Thanks!</P> Wed, 21 Apr 2021 07:47:14 GMT https://community.splunk.com/t5/Splunk-Search/overall-sum-and-aggregate-sum/m-p/548735#M155673 yuming1127 2021-04-21T07:47:14Z