topic Re: How to create a new field from existing fields after a sum in Splunk Search

How to create a new field from existing fields after a sum

dtccsundar — Tue, 24 Aug 2021 12:04:13 GMT

Hi,

I need a help in creating a field using/grouping sum of 2 existing fields .

Ex:

field 1- count_of_true(These will have independent counts for each services)

fields 2 - count_of_false(These will have independent counts for each services)

I am looking for a fields status which has sum(count_of_true) as true & sum(count_of_false) as false as below after a stats like( |stats count by status)

Status count

true 212

false 313

I tried using transpose ,but the stats gives unexpected value ,

Re: How to create a new field from existing fields after a sum

kamlesh_vaghela — Tue, 24 Aug 2021 12:16:44 GMT

@dtccsundar

Are you looking for this? Just update your stats command.

| stats count(eval(Status="true")) as true count(eval(Status="false")) as false

Re: How to create a new field from existing fields after a sum

manjunathmeti — Tue, 24 Aug 2021 12:26:22 GMT

hi @dtccsundar,

This might give you what you asked.

| makeresults | eval count_of_true=212, count_of_false=313 | eval count=mvzip(count_of_true, count_of_false), count=split(count, ","), Status=split("true,false", ","), zip=mvzip(Status, count) | mvexpand zip | eval zip=split(zip, ","), Status=mvindex(zip, 0), count=mvindex(zip, 1) | table Status, count

If this reply helps you, a like would be appreciated.

Re: How to create a new field from existing fields after a sum

dtccsundar — Tue, 24 Aug 2021 13:13:01 GMT

Thank you manjunathmeti ,

It gives count of each service (true and false ) and the the sum of (true and false)

| eval count_of_true=212, count_of_false=313
This is dynamic value which i will get after sum(true) and sum(false) and not the static one .

is there any other way ?

Re: How to create a new field from existing fields after a sum

dtccsundar — Tue, 24 Aug 2021 13:15:17 GMT

Thank you kamlesh_vaghela,

When i tried this i am getting the count as 0 for both true and false .

Adding to that ,

Sum(true) and sum(false) for each service is my need .

Any other way to achieve this ?

Re: How to create a new field from existing fields after a sum

dtccsundar — Wed, 01 Sep 2021 08:58:15 GMT

Please help me to get solution for this .

Re: How to create a new field from existing fields after a sum

isoutamo — Wed, 01 Sep 2021 09:12:48 GMT

@kamlesh_vaghela 's answer should work. You just need to update field names if needed etc.

Here is one query which you can use as start point with your testing.

index=_internal earliest=-1h | stats count(eval(component="Metrics")) as true count(eval(component="ProcessTracker")) as false

This should give you some values if you have access to _internal index. If not then just replace index name and those evaluation conditions (component="Metrics") with your field and wanted value of that field.

r. Ismo

Re: How to create a new field from existing fields after a sum

dtccsundar — Tue, 07 Sep 2021 05:40:43 GMT

Hi Ismo,

Thank you !!

| stats count(eval("Status"="True")) as True count(eval("Status"="False")) as "False"

I am getting ,

True False

0 0

Please help me out

Re: How to create a new field from existing fields after a sum

PickleRick — Tue, 07 Sep 2021 06:25:56 GMT

To be honest I'm not sure what you're trying to achieve and from what kind of data.

Do you have various fields in your events that each can have a value of true and false? And do you want to do an aggregate stats over all fields over all events?

Or do you want to have a stats value for each event over all fields of that event?

Or something else?

Re: How to create a new field from existing fields after a sum

dtccsundar — Tue, 07 Sep 2021 08:18:14 GMT

Hi PickleRick,

The below one is the one which triggered that.

I have to get % of 2 and 3 values in a same field .

Status count

True 200

False 50

Error 10

exc 5

temp 6

Total 271

I need to get true% by true+error /Total * 100 and False% by False+exc+temp/Total*100.

Please help me with the solution .