topic how to sum 2 fields of value in Splunk Search

how to sum 2 fields of value

JelianeL — Fri, 19 Oct 2012 01:27:29 GMT

Hi, if I have:

2012-10-16T03:27:05+0000, cCount:0 , lCount:17,

in an event. How can I cCount + lCount = totalCount?

Can guide me please. Thank you 😃

Re: how to sum 2 fields of value

reed_kelly — Fri, 19 Oct 2012 02:27:08 GMT

Add an

|eval totalCount = cCount + lCount

to your search.

Re: how to sum 2 fields of value

JelianeL — Fri, 19 Oct 2012 02:32:23 GMT

Hi thanks for your reply.

But in my fields there is no totalCount.

So if I add |eval totalCount = cCount(9) + lCount(11)

By right, it will display a field totalCount?

And give me the value 20?

How should I go about to "declare" totalCount?

Re: how to sum 2 fields of value

reed_kelly — Fri, 19 Oct 2012 04:31:30 GMT

The eval command creates the field totalCount if it does not exist. Take a look at the doc on eval:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

It's a good command to take a close look at. Check the Functions for eval and where as well.

Re: how to sum 2 fields of value

reed_kelly — Fri, 19 Oct 2012 04:46:45 GMT

Also, the addtotals command may help you:

...|addtotals fieldname=totalCount *Count

If it would help you in learning Splunk commands, check out my Quizlet set on Search Commands:

http://quizlet.com/11171217/splunk-search-commands-flash-cards/

Re: how to sum 2 fields of value

JelianeL — Fri, 19 Oct 2012 06:45:43 GMT

Thank you for your links =D will take a look at it.

Re: how to sum 2 fields of value

JelianeL — Fri, 19 Oct 2012 08:49:46 GMT

Thanks to you, I solved my previous problem 🙂

Another question with ---> max(totalCount)

How do I display it together with other fields?

Currently only return totalCount.

I tried by message, it does give me message but it returns me all the events.

Re: how to sum 2 fields of value

reed_kelly — Fri, 19 Oct 2012 11:27:31 GMT

Continuing from your last comment...

If you just want the max totalCount, then you can use the stats command. Combined with above:

  |eval totalCount = cCount + lCount |stats max(totalCount)

If you want all the rows that you had previously, then you can tack it on with eventstats:

 |eval totalCount = cCount + lCount 
 |eventstats max(totalCount) as maxTotal 
 |table cCount, lCount, totalCount, maxTotal

If you want to single out the row with the max:

  |eval totalCount = cCount + lCount 
  |eventstats max(totalCount) as maxTotal 
  |where totalCount = maxTotal
  |table cCount, lCount, totalCount, maxTotal

Re: how to sum 2 fields of value

rbardonetorian — Wed, 02 Mar 2016 16:55:04 GMT

Nice addition... Very thoughtful.. Thanks!

Re: how to sum 2 fields of value

fariapm1 — Tue, 29 Sep 2020 16:55:48 GMT

Hi,

I have a similar question, but the awnser does not fit to me. In my case I have a list of all server sessions state:

"User Sessions" =25, /  "Active Sessions"=10  /  "Disconnected Sessions"=14 / "Idle Sessions"=1 / "Other Sessions"=0

If I add the line to my search:
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"

the result is:

"User Sessions" =25,
"Active Sessions"=10

total_disconnect= Disconnected_SessionsIdle_SessionsOther_Sessions

query:
index=app_servers sourcetype="Computers"
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"
| table "User Sessions", "Active Sessions",totalCount, "Disconnected Sessions", "Idle Sessions", "Other Sessions", "Name"

Basically, it concatenates the name of the fields . Can someone point me to the right direction?

Thanks!!!!

Re: how to sum 2 fields of value

fariapm1 — Mon, 15 Jan 2024 13:05:23 GMT

Hi,

Found the solution:

| eval totalCount = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'

The problem was that the field name has a space, and to sum I need to use single quotes.

User Sessions Active Sessions totalCount
39 26 13

13 12 1

18 13 5

Re: how to sum 2 fields of value

kimikoyan — Wed, 05 Sep 2018 10:23:05 GMT

Thanks !!! This answer also fits my question. Neither double quotes nor zero quotes, but single quotes can do the correct number sum and return the correct values. Thanks.