topic Re: sum of all the fields and aggregate sum in Splunk Search

sum of all the fields and aggregate sum

shrirangphadke — Tue, 30 Jun 2015 21:39:58 GMT

Hi,

I am having a tough time in creating overall sum and aggregate sum. Here is my issue:

I have multiple values between client-server:

source destination client_to_server_bytes server_to_client_bytes
    A --   B                10                                   12
    A --   B                10                                   10
    A --   C                50                                   30
    C --   D                15                                   15
    c --   D                10                                   10

I want to create a table with addition of two values in all occurrences. And final value would have addition of all the additions:

A -- B 42
A -- C 80
C -- D 50

To get first addition I did:

my_search ... | eval total_bytes = exact(val_1 + val_2) | table source destination total_bytes

This correctly gave me following result:

A -- B 22
A -- B 20
...and so on

Now how do I combine them to form a single result?

Re: sum of all the fields and aggregate sum

woodcock — Tue, 30 Jun 2015 21:43:47 GMT

Like this:

 my_search ... | eval total_bytes = exact(val_1 + val_2) | stats sum(total_bytes) by source destination

Re: sum of all the fields and aggregate sum

shrirangphadke — Tue, 30 Jun 2015 21:49:54 GMT

It was easy! I am really dumb.. Anyways Thanks for your help !!

Re: sum of all the fields and aggregate sum

woodcock — Tue, 30 Jun 2015 21:54:41 GMT

So am I but Splunk makes even dummies look brilliant!

Re: sum of all the fields and aggregate sum

shrirangphadke — Tue, 30 Jun 2015 22:06:32 GMT

very true !