topic How to graph the sum of field A where field B=TRUE and field C=FALSE into a timechart by day? in Splunk Search

How to graph the sum of field A where field B=TRUE and field C=FALSE into a timechart by day?

marcoeur5 — Tue, 29 Sep 2020 09:54:10 GMT

The question is the simple case of one set of conditions. My goal is to line graph (4) variations in one chart:

sum field A where field B=TRUE and field C=FALSE as outbound
sum field A where field B=FALSE and field C=TRUE as inbound
sum field A where field B=TRUE and field C=TRUE as internal
sum field A where field B=FALSE and field C=FALSE as passthru
pipe into a timechart by day.

This working Splunk search charts the number of records that satisfies each of the 4 tests, but I can't figure out how to sum the Field A (producer_filename_bytes) of those matching records to line chart the 4 cumulative bytes of each?

index=prd_sterling sourcetype="sfg:fg_activity" state=Routed | timechart per_day(eval(producer_is_internal="TRUE" and consumer_is_internal="FALSE")) AS TotalOutbound, 
per_day(eval(producer_is_internal="FALSE" and consumer_is_internal="TRUE")) AS TotalInbound,
per_day(eval(producer_is_internal="TRUE" and consumer_is_internal="TRUE")) AS TotalInternal,
per_day(eval(producer_is_internal="FALSE" and consumer_is_internal="FALSE")) AS TotalPassThru

Thanks very much! -Marc

Re: How to graph the sum of field A where field B=TRUE and field C=FALSE into a timechart by day?

somesoni2 — Wed, 08 Jun 2016 16:46:47 GMT

Try like this

index=prd_sterling sourcetype="sfg:fg_activity" state=Routed 
| eval Outbound=if(producer_is_internal="TRUE" and consumer_is_internal="FALSE",producer_filename_bytes,0)
| eval Inbound=if(producer_is_internal="FALSE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval Internal=if(producer_is_internal="TRUE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval PassThru=if(producer_is_internal="FALSE" and consumer_is_internal="FALSE",producer_filename_bytes,0) | 
| timechart per_day(Outbound) as TotalOutbound per_day(Inbound) as TotalInbound per_day(Internal) AS TotalInternal,
per_day(PassThru) AS TotalPassThru

Re: How to graph the sum of field A where field B=TRUE and field C=FALSE into a timechart by day?

marcoeur5 — Wed, 08 Jun 2016 17:18:28 GMT

Thanks somesoni2! That works perfectly. Really appreciate the assist.

FYI to others, remove the second pipe ahead of the timechart command.

Re: How to graph the sum of field A where field B=TRUE and field C=FALSE into a timechart by day?

ppablo — Wed, 08 Jun 2016 17:30:47 GMT

Hi @marcoeur5

Glad you found an answer through @somesoni2 🙂 Don't forget to resolve the post by clicking "Accept" directly below his answer. Also, be sure to upvote his answer for helping you out.

Cheers
Patrick