Splunk Search

Sum of field but grouped by another field Values

matt4321
Explorer

I have the following values:

OS= ex. windows, linux
CPUCount= ex. 4,8,16
MemoryCount= ex. 8,16,32
PhysicalVirtual= ex. Physical, Virtual

I would like to chart the sum of the following:
Virtual_Linux=sum(CPUCount)
Virtual_Windows=sum(CPUCount)

Same for Physical, then by Memory both Physical and Virtual etc..

Thanks for any help on getting me started on this.

Matt

Tags (1)
0 Karma
1 Solution

elliotproebstel
Champion

How about this:

your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory

There's probably a cleaner way to do that using foreach, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.

View solution in original post

0 Karma

elliotproebstel
Champion

How about this:

your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory

There's probably a cleaner way to do that using foreach, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.

0 Karma

matt4321
Explorer

This seems to work perfectly! I had to make sense of how it handles all items that don't match as 0's but once I figured that out it turned out great!

Thanks very Much!
Matt

0 Karma

TISKAR
Builder

Hello,

I didn't understand very well, try using append command:

index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual | 
append[ index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual ]

Best regards

0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

For two separate charts..

Charting CPU count for both Physical and Virtual and OS:

index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual

Charting Memory for both Physical and Virtual and OS:

index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual
0 Karma

kmaron
Motivator

are you looking for one chart with all of your options? Or separate charts?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...