https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278159#M83970 <P>Hi, even with dots it still seems to be working fine for me. The dots are renamed to _ automatically but that's all.<BR /> Maybe you have to fillnull those empty values you might find so that the subtotal works.</P> <P>See if the following helps:</P> <PRE><CODE>your base search | eval subtotal = 0 | fillnull value=0 | foreach Product* [ eval subtotal = subtotal + '&lt;&lt;FIELD&gt;&gt;'] | eventstats sum(subtotal) as TOTAL, sum(Product*) as Product*_subtotal </CODE></PRE> <P>This is what I get in my lab (see attached picture):</P> <P><IMG src="http://i.imgur.com/btUDzLJ.png" alt="alt text" /><BR /> <A href="http://i.imgur.com/btUDzLJ.png">http://i.imgur.com/btUDzLJ.png</A></P> <P>If that doesn't work I would suggest for you to raise a new question and provide as much info as you can (log samples, queries you are running, etc).</P> Thu, 26 Jan 2017 14:11:45 GMT javiergn 2017-01-26T14:11:45Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278153#M83964 <P>Hi,</P> <P>In the events, I have different fields for the products. How can I easily sum all values for these fields when I don't know all exact names?</P> <P>productA=<BR /> productB=<BR /> productC=<BR /> ...</P> <P>These examples are not working, but I hope it explains my need:</P> <PRE><CODE>| stats sum(product*) AS total_products </CODE></PRE> <P>Or to sum up all values per product</P> <PRE><CODE>| stats sum(product*) AS sum BY product* </CODE></PRE> <P>Thanks in advance<BR /> Heinz</P> Tue, 13 Dec 2016 10:49:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278153#M83964 HeinzWaescher 2016-12-13T10:49:57Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278154#M83965 <P>Hi HeinzWaescher<BR /> try </P> <PRE><CODE>| stats sum(product*) AS total_products </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 13 Dec 2016 11:18:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278154#M83965 gcusello 2016-12-13T11:18:48Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278155#M83966 <P>If I understand correctly you have several products per event and you don't know the names beforehand right?</P> <P>Something like:</P> <PRE><CODE>Event1: Time=123 ProductA=1 ProductB=10 ProductC=100 Event2: Time=456 ProductA=2 ProductH=20 ProductC=200 Event3: Time=789 ProductD=3 ProductB=30 ProductC=300 </CODE></PRE> <P>And you would like to display:</P> <PRE><CODE>Event1: Subtotal=111 Event2: Subtotal=222 Event3: Subtotal=333 TOTAL=666 </CODE></PRE> <P>But also:</P> <PRE><CODE>ProductA_subtotal=3 ProductB_subtotal=40 ProductC_subtotal=600 etc </CODE></PRE> <P>If that's the case then try:</P> <PRE><CODE>your base search here | eval subtotal = 0 | foreach product* [ eval subtotal = subtotal + '&lt;&lt;FIELD&gt;&gt;'] | stats sum(subtotal) as TOTAL, sum(product*) as product*_subtotal </CODE></PRE> <P>Hope that helps. If not please give us more information (sample data, or something like that).</P> <P>Thanks,<BR /> J</P> Tue, 13 Dec 2016 11:44:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278155#M83966 javiergn 2016-12-13T11:44:11Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278156#M83967 <P>Hi,</P> <P>last month I thought that this approach works. I have a new usecase and I'm facing the problem, that it is working with one single event. But for a search returning more than 1 events it does not work. The subtotal is always 0 after the foreach command. Any ideas why this happens?</P> Thu, 26 Jan 2017 13:20:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278156#M83967 HeinzWaescher 2017-01-26T13:20:01Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278157#M83968 <P>Hi, can't really comment without seeing exactly what your data looks like as I'm not quite sure what you mean.</P> <P>Would you mind raising a new question so that we can look at the new use case separately rather than working on an already-closed one?</P> Thu, 26 Jan 2017 13:23:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278157#M83968 javiergn 2017-01-26T13:23:05Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278158#M83969 <P>Hi,</P> <P>I just found out that the problem seems to be that my fieldnames contain dots:</P> <PRE><CODE> Event1: Time=123 Product.A=1 Product.B=10 Product.C=100 Event2: Time=456 Product.A=2 Product.H=20 Product.C=200 Event3: Time=789 Product.D=3 Product.B=30 Product.C=300 </CODE></PRE> <P>But of course I can create a new question <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 26 Jan 2017 13:34:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278158#M83969 HeinzWaescher 2017-01-26T13:34:06Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278159#M83970 <P>Hi, even with dots it still seems to be working fine for me. The dots are renamed to _ automatically but that's all.<BR /> Maybe you have to fillnull those empty values you might find so that the subtotal works.</P> <P>See if the following helps:</P> <PRE><CODE>your base search | eval subtotal = 0 | fillnull value=0 | foreach Product* [ eval subtotal = subtotal + '&lt;&lt;FIELD&gt;&gt;'] | eventstats sum(subtotal) as TOTAL, sum(Product*) as Product*_subtotal </CODE></PRE> <P>This is what I get in my lab (see attached picture):</P> <P><IMG src="http://i.imgur.com/btUDzLJ.png" alt="alt text" /><BR /> <A href="http://i.imgur.com/btUDzLJ.png">http://i.imgur.com/btUDzLJ.png</A></P> <P>If that doesn't work I would suggest for you to raise a new question and provide as much info as you can (log samples, queries you are running, etc).</P> Thu, 26 Jan 2017 14:11:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278159#M83970 javiergn 2017-01-26T14:11:45Z https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278160#M83971 <P>Hi,<BR /> I created a standard example as well, which works fine:</P> <PRE><CODE>index=_internal | head 10 | eval product.A=1 | eval product.B=2 | eval product.C=3 | eval subtotal = 0 | foreach product* [ eval subtotal = subtotal + '&lt;&lt;FIELD&gt;&gt;'] | table subtotal </CODE></PRE> <P>But you are right, in my real usecase not every event includes every product.x. Fillnull fixes this problem and foreach is working <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks a lot</P> Thu, 26 Jan 2017 14:22:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sum-all-values-for-fields-that-contain-a-specific-string/m-p/278160#M83971 HeinzWaescher 2017-01-26T14:22:06Z