topic sum specific field value in Splunk Search https://community.splunk.com/t5/Splunk-Search/sum-specific-field-value/m-p/422465#M191053 <P>I have below events-</P> <PRE><CODE>value=1 value=3 value=5 value=0 value=4 value=5 value=6 value=0 value=1 </CODE></PRE> <P>Here I want to pick last value before value=0 and at end value if there is no zero value at end like in above case I want value=5 and value=6 and value=1<BR /> and add these value to get result as <CODE>value=12</CODE><BR /> Kindly guide me to achieve this.<BR /> In script it can be done by storing variable and at end adding all. How this can be done in splunk.<BR /> Thanks.</P> Fri, 02 Aug 2019 11:17:38 GMT ips_mandar 2019-08-02T11:17:38Z sum specific field value https://community.splunk.com/t5/Splunk-Search/sum-specific-field-value/m-p/422465#M191053 <P>I have below events-</P> <PRE><CODE>value=1 value=3 value=5 value=0 value=4 value=5 value=6 value=0 value=1 </CODE></PRE> <P>Here I want to pick last value before value=0 and at end value if there is no zero value at end like in above case I want value=5 and value=6 and value=1<BR /> and add these value to get result as <CODE>value=12</CODE><BR /> Kindly guide me to achieve this.<BR /> In script it can be done by storing variable and at end adding all. How this can be done in splunk.<BR /> Thanks.</P> Fri, 02 Aug 2019 11:17:38 GMT https://community.splunk.com/t5/Splunk-Search/sum-specific-field-value/m-p/422465#M191053 ips_mandar 2019-08-02T11:17:38Z Re: sum specific field value https://community.splunk.com/t5/Splunk-Search/sum-specific-field-value/m-p/422466#M191054 <P>You can try this,</P> <PRE><CODE>| makeresults | eval value="1,3,5,0,4,5,6,0,1" | makemv delim="," value | mvexpand value | fields - _time | streamstats current=f window=1 last(value) as break | append [| makeresults | eval value="1,3,5,0,4,5,6,0,1" | makemv delim="," value | mvexpand value | fields - _time | stats last(value) as final] | fillnull value=0 | search value=0 | eval sum=break+final | stats sum(sum) as sum </CODE></PRE> <P>In your case, it will be </P> <PRE><CODE>`your query` | streamstats current=f window=1 last(value) as break | append [| `your query` | stats last(value) as final] | fillnull value=0 | search value=0 | eval sum=break+final | stats sum(sum) as sum </CODE></PRE> Fri, 02 Aug 2019 12:30:30 GMT https://community.splunk.com/t5/Splunk-Search/sum-specific-field-value/m-p/422466#M191054 bangalorep 2019-08-02T12:30:30Z