Hi, if I have:
2012-10-16T03:27:05+0000, cCount:0 , lCount:17,
in an event. How can I cCount + lCount = totalCount?
Can guide me please. Thank you 😃
Hi,
Found the solution:
| eval totalCount = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
The problem was that the field name has a space, and to sum I need to use single quotes.
User Sessions Active Sessions totalCount
39 26 13
13 12 1
18 13 5
Thanks !!! This answer also fits my question. Neither double quotes nor zero quotes, but single quotes can do the correct number sum and return the correct values. Thanks.
Hi,
I have a similar question, but the awnser does not fit to me. In my case I have a list of all server sessions state:
"User Sessions" =25, / "Active Sessions"=10 / "Disconnected Sessions"=14 / "Idle Sessions"=1 / "Other Sessions"=0
If I add the line to my search:
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"
the result is:
"User Sessions" =25,
"Active Sessions"=10
total_disconnect= Disconnected_SessionsIdle_SessionsOther_Sessions
query:
index=app_servers sourcetype="Computers"
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"
| table "User Sessions", "Active Sessions",totalCount, "Disconnected Sessions", "Idle Sessions", "Other Sessions", "Name"
Basically, it concatenates the name of the fields . Can someone point me to the right direction?
Thanks!!!!
Continuing from your last comment...
If you just want the max totalCount, then you can use the stats command. Combined with above:
|eval totalCount = cCount + lCount |stats max(totalCount)
If you want all the rows that you had previously, then you can tack it on with eventstats:
|eval totalCount = cCount + lCount
|eventstats max(totalCount) as maxTotal
|table cCount, lCount, totalCount, maxTotal
If you want to single out the row with the max:
|eval totalCount = cCount + lCount
|eventstats max(totalCount) as maxTotal
|where totalCount = maxTotal
|table cCount, lCount, totalCount, maxTotal
Nice addition... Very thoughtful.. Thanks!
Add an
|eval totalCount = cCount + lCount
to your search.
Thanks to you, I solved my previous problem 🙂
Another question with ---> max(totalCount)
How do I display it together with other fields?
Currently only return totalCount.
I tried by message, it does give me message but it returns me all the events.
Thank you for your links =D will take a look at it.
Also, the addtotals command may help you:
...|addtotals fieldname=totalCount *Count
If it would help you in learning Splunk commands, check out my Quizlet set on Search Commands:
http://quizlet.com/11171217/splunk-search-commands-flash-cards/
The eval command creates the field totalCount if it does not exist. Take a look at the doc on eval:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
It's a good command to take a close look at. Check the Functions for eval and where as well.
Hi thanks for your reply.
But in my fields there is no totalCount.
So if I add |eval totalCount = cCount(9) + lCount(11)
By right, it will display a field totalCount?
And give me the value 20?
How should I go about to "declare" totalCount?