topic How to multiply? in Splunk Search

How to multiply?

rlaul — Tue, 13 Aug 2019 12:23:02 GMT

Hi,

Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.

The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.

"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P\s(\d))"
|stats count  by Batch_Size
| eval tc = Batch_Size*count
| stats sum(tc) as tc

Any help will be appreciated.

Thanks, Ro,

Re: How to multiply?

jpolvino — Tue, 13 Aug 2019 13:16:20 GMT

When you do a stats command (line 3), the fields visible before it become inaccessible. One way to solve your question:

"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P\s(\d))"
|stats count  AS Volume BY Batch_Size
| eval tc = Batch_Size*Volume

This creates a new field, but you need a field name (Volume) in your stats command for it to work.

Re: How to multiply?

mayurr98 — Tue, 13 Aug 2019 15:59:59 GMT

could you pls post the output of first 3 lines?