Archive

how to sum 2 fields of value

Explorer

Hi, if I have:

2012-10-16T03:27:05+0000, cCount:0 , lCount:17,

in an event. How can I cCount + lCount = totalCount?

Can guide me please. Thank you 😃

Tags (1)
0 Karma
1 Solution

Contributor

Add an

|eval totalCount = cCount + lCount

to your search.

View solution in original post

Explorer

Hi,

Found the solution:

| eval totalCount = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'

The problem was that the field name has a space, and to sum I need to use single quotes.

User Sessions Active Sessions totalCount
39 26 13

13 12 1

18 13 5

Explorer

Thanks !!! This answer also fits my question. Neither double quotes nor zero quotes, but single quotes can do the correct number sum and return the correct values. Thanks.

0 Karma

Explorer

Hi,

I have a similar question, but the awnser does not fit to me. In my case I have a list of all server sessions state:

"User Sessions" =25, /  "Active Sessions"=10  /  "Disconnected Sessions"=14 / "Idle Sessions"=1 / "Other Sessions"=0

If I add the line to my search:
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"

the result is:

"User Sessions" =25,
"Active Sessions"=10

total_disconnect= Disconnected_SessionsIdle_SessionsOther_Sessions

query:
index=app_servers sourcetype="Computers"
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"
| table "User Sessions", "Active Sessions",totalCount, "Disconnected Sessions", "Idle Sessions", "Other Sessions", "Name"

Basically, it concatenates the name of the fields . Can someone point me to the right direction?

Thanks!!!!

0 Karma

Contributor

Continuing from your last comment...

If you just want the max totalCount, then you can use the stats command. Combined with above:

  |eval totalCount = cCount + lCount |stats max(totalCount)

If you want all the rows that you had previously, then you can tack it on with eventstats:

 |eval totalCount = cCount + lCount 
 |eventstats max(totalCount) as maxTotal 
 |table cCount, lCount, totalCount, maxTotal

If you want to single out the row with the max:

  |eval totalCount = cCount + lCount 
  |eventstats max(totalCount) as maxTotal 
  |where totalCount = maxTotal
  |table cCount, lCount, totalCount, maxTotal

Path Finder

Nice addition... Very thoughtful.. Thanks!

0 Karma

Contributor

Add an

|eval totalCount = cCount + lCount

to your search.

View solution in original post

Explorer

Thanks to you, I solved my previous problem 🙂

Another question with ---> max(totalCount)

How do I display it together with other fields?

Currently only return totalCount.

I tried by message, it does give me message but it returns me all the events.

0 Karma

Explorer

Thank you for your links =D will take a look at it.

0 Karma

Contributor

Also, the addtotals command may help you:

...|addtotals fieldname=totalCount *Count

If it would help you in learning Splunk commands, check out my Quizlet set on Search Commands:

http://quizlet.com/11171217/splunk-search-commands-flash-cards/

Contributor

The eval command creates the field totalCount if it does not exist. Take a look at the doc on eval:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

It's a good command to take a close look at. Check the Functions for eval and where as well.

Explorer

Hi thanks for your reply.

But in my fields there is no totalCount.

So if I add |eval totalCount = cCount(9) + lCount(11)

By right, it will display a field totalCount?

And give me the value 20?

How should I go about to "declare" totalCount?

0 Karma