https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169020#M48254 <P>I actually figured out that my problem was the length of the _raw field itself. Occasionally the data I'm pulling in has valid event-per-line events that exceed 10,000 characters, so I had to turn truncate off in the sourcetypes and it stopped chopping off my data in random places. Splunk has a default limit here of 10,000 characters. Unfortunately I lost some data in the process of learning this that can't be regenerated but I'll catch it for future iterations. </P> <P>Thanks for the help!</P> Mon, 04 Aug 2014 19:59:21 GMT mjones414 2014-08-04T19:59:21Z https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169017#M48251 <P>in the following situation:<BR /> ... | stats sum(SumofCoreSecs) as total | eval Total = tostring(total, "commas") | table Total</P> <P>This works fine up until a certain length of a number, but I recently ran across a sum value that went negative: </P> <P>-9,302,873,272,376</P> <P>I know that there are no negative numbers in the raw data. Is this a condition of the sum function?</P> Mon, 04 Aug 2014 12:52:06 GMT https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169017#M48251 mjones414 2014-08-04T12:52:06Z https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169018#M48252 <P>Does the field SumofCoreSecs have commas?</P> Mon, 04 Aug 2014 14:18:20 GMT https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169018#M48252 okrabbe_splunk 2014-08-04T14:18:20Z https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169019#M48253 <P>Assuming that your SumofCoreSecs doesn't contain commas, i tested the sum function with much bigger values and it worked just fine.</P> <P>In case if your SumofCoreSecs contain commas then use convert function to remove commas. See this link <A href="http://">http://answers.splunk.com/answers/36792/how-to-sum-numbers-with-commas</A></P> Mon, 04 Aug 2014 15:21:48 GMT https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169019#M48253 strive 2014-08-04T15:21:48Z https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169020#M48254 <P>I actually figured out that my problem was the length of the _raw field itself. Occasionally the data I'm pulling in has valid event-per-line events that exceed 10,000 characters, so I had to turn truncate off in the sourcetypes and it stopped chopping off my data in random places. Splunk has a default limit here of 10,000 characters. Unfortunately I lost some data in the process of learning this that can't be regenerated but I'll catch it for future iterations. </P> <P>Thanks for the help!</P> Mon, 04 Aug 2014 19:59:21 GMT https://community.splunk.com/t5/Splunk-Search/Comma-separated-number-in-sum-function-going-negative/m-p/169020#M48254 mjones414 2014-08-04T19:59:21Z