topic Re: How to show stats sum for a field using a value produced from an eval statement? in Splunk Search

How to show stats sum for a field using a value produced from an eval statement?

franksteinar — Wed, 10 Feb 2016 21:13:47 GMT

Hi,

I have one field with values for each month, and this eval gives me the current month name(current February);

eval mnd=strftime(_time, "%B")

Field1 is named January, Field2 February...

But when I try to sum this field with stats, I get no results;

stats sum(mnd)

I want this search to automatically show the current month's sum, and not using a static value in the stats sum expression.

Re: How to show stats sum for a field using a value produced from an eval statement?

javiergn — Wed, 10 Feb 2016 21:52:54 GMT

Hi, sorry I'm a bit confused by your question.
%B is creating a string therefore you can't sum it in Splunk.

If you want to sum months using integers simply use %m instead.

Stats won't care about whether your field comes from an eval or not. A field is a field.

Please let me know if that's not what you are looking for.

Re: How to show stats sum for a field using a value produced from an eval statement?

somesoni2 — Wed, 10 Feb 2016 22:05:24 GMT

Are you looking for a sum of some field and you want column (with sum) for each month?? If that's the case try something like this

your base search | eval mnd=strftime(_time, "%B")  | eval temp=1 | chart sum(WhateverFieldYouWantToSum) over temp by mnd | fields - temp

Re: How to show stats sum for a field using a value produced from an eval statement?

franksteinar — Thu, 11 Feb 2016 09:27:35 GMT

Hi,

sorry, I will try to be more presise. What I want to accomplish, is to present a dashboard showing the sum of values from the month we are currently in. For now, that is February, and even though I easily can display February with a static expression;
stats sum(February)

that means I need to maintain this manually every month to match the month we are currently in. How can I make this flexible, so that the stats sum choose the current month. Each month is represented with its own field(or column).

Hope this makes more sense:)

PS! Using %m did not make any difference, even though I adjusted the fields/columns to 01, 02, 03...

Re: How to show stats sum for a field using a value produced from an eval statement?

sunnyparmar — Thu, 11 Feb 2016 09:57:56 GMT

| stats count by mnd

| stats count by sum(mnd)

Re: How to show stats sum for a field using a value produced from an eval statement?

franksteinar — Thu, 11 Feb 2016 10:24:11 GMT

Hi,

the challenge here is that "WhateverFieldYouWantToSum" is a static reference to a field, I need a dynamic reference to a field.
From my last post:
What I want to accomplish, is to present a dashboard showing the sum of values from the month we are currently in. For now, that is February, and even though I easily can display February with a static expression;
stats sum(February)

Re: How to show stats sum for a field using a value produced from an eval statement?

somesoni2 — Thu, 11 Feb 2016 15:47:16 GMT

Here the month name (which will appear as a column name) is dynamic only. Not sure if you tried this at all..

Could you provide the current search where you've to provide the Month name using static expression??

Re: How to show stats sum for a field using a value produced from an eval statement?

javiergn — Fri, 12 Feb 2016 10:12:05 GMT

If you want to display the current monthly dynamically simply use the following:

| eval current_month = strftime(now(), "%B")

Then restrict your search to only return events for the month we are currently in:

index=foo sourcetype=bar earliest=@mon

Hope that makes sense.

Re: How to show stats sum for a field using a value produced from an eval statement?

DalJeanis — Thu, 05 Jan 2017 23:04:23 GMT

The first one is right. The second doesn't seem to make any sense.

I think you may have meant (for the second one)

| stats sum(SomeField) as "Total of SomeField" by mnd