Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sum field value by different fields and merge together in 1 table

langlv
Engager
‎02-09-2017 02:35 AM

Hi,

I have a list of events here from an account management system.

"_time",dr_account,cr_account,amount
"2017-02-09T17:20:19.000+0700",111111,222222,1500000
"2017-02-09T17:20:19.000+0700",111111,333333,1000000
"2017-02-09T17:20:19.000+0700",222222,555555,11070000
"2017-02-09T17:20:19.000+0700",333333,111111,3000000
"2017-02-09T17:20:19.000+0700",444444,111111,1250000
"2017-02-09T17:20:19.000+0700",111111,555555,3000000

I am going to make a aggregation report by sum the amount field by both dr_account and cr_account and, then display the total debit, total credit and balance (=total debit - total credit) on a table for each account, for example:

account,total_debit,total_credit,balance
111111,5500000,4250000,1250000
222222,11070000,1500000,9570000
...

I am trying to use stats sum(amount) as total_debit by dr_account | appendcols [stats sum(amount) as total_credit by cr_account] but no luck.

Could you guys please help me on this case ?

Thank you very much.
Lang

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ehudb
Contributor
‎02-09-2017 04:00 AM

Try this one:

 |appendpipe [stats sum(amount) as total_debit by dr_account |rename dr_account as account]
 |appendpipe [stats sum(amount) as total_credit by cr_account |rename cr_account as account]
 |stats values(total*) as total* by account
 |eval balance=total_debit-total_credit

Result:

account total_credit    total_debit balance
--------------------------------------------------
111111  4250000       5500000       1250000
222222  1500000       11070000      9570000
333333  1000000       3000000       2000000
444444                    1250000    
555555  14070000

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-09-2017 07:59 AM

Try like this (everything before | eval temp is just to generate sample data, replace it with your search)

| gentimes start=-1 | eval host="2017-02-09T17:20:19.000+0700,111111,222222,1500000 2017-02-09T17:20:19.000+0700,111111,333333,1000000 2017-02-09T17:20:19.000+0700,222222,555555,11070000 2017-02-09T17:20:19.000+0700,333333,111111,3000000 2017-02-09T17:20:19.000+0700,444444,111111,1250000 2017-02-09T17:20:19.000+0700,111111,555555,3000000"| table host | makemv host | mvexpand host | rex field=host "^(?<time>[^,]+),(?<dr_account>[^,]+),(?<cr_account>[^,]+),(?<amount>[^,]+)"  | eval _time=strptime(time,"%Y-%m-%dT%H:%M:%S.%N%z")| fields - host time 
| eval temp=dr_account.":debit:".amount."##".cr_account.":credit:".amount | table temp | makemv temp delim="##" | mvexpand temp | rex field=temp "(?<account>[^\:]+)\:(?<action>[^\:]+)\:(?<amount>.+)" | fields - temp | chart sum(amount) over account by action | fillnull value=0| eval balance=debit-credit
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-09-2017 08:33 AM

Extra credit for showing the sample data. Just missed a perfect score by the field order and name.

| table account debit credit balance 
| rename debit as total_debit credit as total_credit
0 Karma
Reply
Solved! Jump to solution
Solution

ehudb
Contributor
‎02-09-2017 04:00 AM

Try this one:

 |appendpipe [stats sum(amount) as total_debit by dr_account |rename dr_account as account]
 |appendpipe [stats sum(amount) as total_credit by cr_account |rename cr_account as account]
 |stats values(total*) as total* by account
 |eval balance=total_debit-total_credit

Result:

account total_credit    total_debit balance
--------------------------------------------------
111111  4250000       5500000       1250000
222222  1500000       11070000      9570000
333333  1000000       3000000       2000000
444444                    1250000    
555555  14070000
Reply
Solved! Jump to solution

langlv
Engager
‎02-09-2017 07:05 PM

It works like a charm, add some isnull() check and i can now have balance for all accounts.

Thanks ehudb.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-09-2017 08:38 AM

Works fine. Maybe a little more readable than somesoni2's.

0 Karma
Reply
Solved! Jump to solution

ronekarleone
Explorer
‎02-09-2017 03:03 AM

Hi! Try to use this search: 

|stats sum(amount) as total_debit by dr_account | rename  dr_account  AS account 
|append [stats sum(amount) as total_credit by cr_account | rename  cr_account  AS account] 
|stats value(total_debit) AS total_debit, value(total_credit) AS total_credit by account | eval balance=total_debit-total_credit

Also you can use appendpipe command for search optimization like this: 

|rename  dr_account  AS account | stats sum(amount) as total_debit by account 
|appendpipe [stats sum(amount) as total_credit by cr_account | rename  cr_account  AS account] 
|stats value(total_debit) AS total_debit, value(total_credit) AS total_credit by account |eval balance=total_debit-total_credit
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...