topic Re: How do I sum 2 field extractions if only one field extraction exists per log? in Splunk Search

How do I sum 2 field extractions if only one field extraction exists per log?

philallen1 — Fri, 05 Dec 2014 10:36:56 GMT

So I've used Field Extractions to name 2 different fields in my logs: "dealtCurrency" and "dealtCurrencyDefault".

The dealtCurrencyDefault field will ALWAYS appear in my logs. However, the dealtCurrency field appears only in some logs. When the dealtCurrency appears, my regex ignores the dealtCurrencyDefault field altogether. So, my regex only ever gives me one field back - dealtCurrencyDefault (if there is no dealtCurrency), and dealtCurrency (if there is dealtCurrency).

I'm now trying to create a chart that displays the "currency" along the x axis and the "number of occurrences" along the y axis.

How can I write a search query that creates this chart?

I've tried things along the lines of:

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
   | chart sum(currency ) as suma by currency

This gives me all the currencies, but it doesn't sum them to create the "number of occurrences" field (I just get empty field for the suma column).

Any ideas? Should I be using 'buckets'? Not really sure how to use them...

Thanks!

(Also not sure if the title is accurately describing this - so please feel free to suggest a more suitable one)

Re: How do I sum 2 field extractions if only one field extraction exists per log?

wpreston — Fri, 05 Dec 2014 13:15:14 GMT

Have you tried using count instead of sum?

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
| chart count(currency) as CurrencyCount by currency

Re: How do I sum 2 field extractions if only one field extraction exists per log?

philallen1 — Fri, 05 Dec 2014 13:26:55 GMT

Hi wpreston. Thanks for the comment, however it doesn't seem to be working. It returns each currency in one column but the CurrencyCount is 0 for each currency. Any other ideas are welcome!

Re: How do I sum 2 field extractions if only one field extraction exists per log?

wpreston — Fri, 05 Dec 2014 13:32:20 GMT

Can you share the rest of your search?

Re: How do I sum 2 field extractions if only one field extraction exists per log?

philallen1 — Fri, 05 Dec 2014 13:36:24 GMT

Hey wpreston

Acutally, it has randomly decided to work! (No idea what made it work - Splunk seems to be quite temperamental). So this is my final query:

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault) | chart count(currency) as CurrencyCount by currency

Thanks a lot for your help!

Re: How do I sum 2 field extractions if only one field extraction exists per log?

wpreston — Fri, 05 Dec 2014 13:38:55 GMT

You're very welcome, glad it worked for you!