https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26256#M177640 <P>How can i use wild card character in this scenario when i just have a search pattern like incident name INC* in place of John</P> Wed, 09 Nov 2016 06:39:26 GMT surekhasplunk 2016-11-09T06:39:26Z https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26252#M177636 <P>I'm new to splunk and it's a little over my head. Please forgive me. I loaded data from a csv file into splunk. The csv file contains two column headers--one text and one numerical. </P> <P>Column A - "John", "Jack", "Tom", "John"<BR /> Column B - 9, 7, 5, 3</P> <P>Is it possible in splunk (or a third party method) to sum field A where Field B does NOT contain a specific word? Using the example above, sum all the fields in Column B where Column A is NOT equal to "John." If yes, please provide some concrete examples or at least a push in the right direction would be much appreciated.</P> Sat, 09 Feb 2013 05:39:09 GMT https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26252#M177636 handygecko 2013-02-09T05:39:09Z https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26253#M177637 <PRE><CODE>source=myfile.csv | where A!="John" | stats sum(B) </CODE></PRE> Sat, 09 Feb 2013 08:25:31 GMT https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26253#M177637 gkanapathy 2013-02-09T08:25:31Z https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26254#M177638 <P>Thank you! This answered my question and many others. I also discovered--for anyone who may read this later--that 'where' can be omitted:</P> <P>source=myfile.csv A!="John" | stats sum(B)</P> <P>and wildcards can be used:</P> <P>source=myfile.csv | where A!="Jo*" | stats sum(B)</P> <P>Thanks again for the help.</P> Sat, 09 Feb 2013 17:29:14 GMT https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26254#M177638 handygecko 2013-02-09T17:29:14Z https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26255#M177639 <P>one more thing. If you need multiple sums, you can do:</P> <PRE><CODE>source=myfile.csv | stats sum(eval(if(A!="John",B,null()))) as sumifnotjohn sum(eval(if(A=="John",B,null()))) as sumifjohn sum(B) as totalsum </CODE></PRE> Sat, 09 Feb 2013 19:27:26 GMT https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26255#M177639 gkanapathy 2013-02-09T19:27:26Z https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26256#M177640 <P>How can i use wild card character in this scenario when i just have a search pattern like incident name INC* in place of John</P> Wed, 09 Nov 2016 06:39:26 GMT https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26256#M177640 surekhasplunk 2016-11-09T06:39:26Z https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26257#M177641 <P>I also second what @surekhasplunk has commented. Instead of (A=="John"), use (A=="John*") for the case when you have John1, John2, John3..... and so on in Column A. It (eval) doesn't seem to accept wildcards, at least when I attempted this approach. </P> Fri, 16 Nov 2018 16:57:25 GMT https://community.splunk.com/t5/Splunk-Search/Conditionals-is-there-a-way-in-splunk-to-sum-field-A-if-Field-B/m-p/26257#M177641 l1bertyx 2018-11-16T16:57:25Z