Archive

Sum of field but grouped by another field Values

Explorer

I have the following values:

OS= ex. windows, linux
CPUCount= ex. 4,8,16
MemoryCount= ex. 8,16,32
PhysicalVirtual= ex. Physical, Virtual

I would like to chart the sum of the following:
Virtual_Linux=sum(CPUCount)
Virtual_Windows=sum(CPUCount)

Same for Physical, then by Memory both Physical and Virtual etc..

Thanks for any help on getting me started on this.

Matt

Tags (1)
0 Karma
1 Solution

How about this:

your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory

There's probably a cleaner way to do that using foreach, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.

View solution in original post

0 Karma

How about this:

your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory

There's probably a cleaner way to do that using foreach, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.

View solution in original post

0 Karma

Explorer

This seems to work perfectly! I had to make sense of how it handles all items that don't match as 0's but once I figured that out it turned out great!

Thanks very Much!
Matt

0 Karma

Builder

Hello,

I didn't understand very well, try using append command:

index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual | 
append[ index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual ]

Best regards

0 Karma

Splunk Employee
Splunk Employee

For two separate charts..

Charting CPU count for both Physical and Virtual and OS:

index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual

Charting Memory for both Physical and Virtual and OS:

index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual
0 Karma

Motivator

are you looking for one chart with all of your options? Or separate charts?

0 Karma