Splunk Search

how to sum 2 fields of value

JelianeL
Explorer

Hi, if I have:

2012-10-16T03:27:05+0000, cCount:0 , lCount:17,

in an event. How can I cCount + lCount = totalCount?

Can guide me please. Thank you 😃

Tags (1)
0 Karma
1 Solution

reed_kelly
Contributor

Add an

|eval totalCount = cCount + lCount

to your search.

View solution in original post

fariapm1
Explorer

Hi,

Found the solution:

| eval totalCount = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'

The problem was that the field name has a space, and to sum I need to use single quotes.

User Sessions Active Sessions totalCount
39 26 13

13 12 1

18 13 5

kimikoyan
Explorer

Thanks !!! This answer also fits my question. Neither double quotes nor zero quotes, but single quotes can do the correct number sum and return the correct values. Thanks.

0 Karma

fariapm1
Explorer

Hi,

I have a similar question, but the awnser does not fit to me. In my case I have a list of all server sessions state:

"User Sessions" =25, /  "Active Sessions"=10  /  "Disconnected Sessions"=14 / "Idle Sessions"=1 / "Other Sessions"=0

If I add the line to my search:
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"

the result is:

"User Sessions" =25,
"Active Sessions"=10

total_disconnect= Disconnected_SessionsIdle_SessionsOther_Sessions

query:
index=app_servers sourcetype="Computers"
| eval totalCount = "Disconnected_Sessions" + "Idle_Sessions" + "Other_Sessions"
| table "User Sessions", "Active Sessions",totalCount, "Disconnected Sessions", "Idle Sessions", "Other Sessions", "Name"

Basically, it concatenates the name of the fields . Can someone point me to the right direction?

Thanks!!!!

0 Karma

reed_kelly
Contributor

Continuing from your last comment...

If you just want the max totalCount, then you can use the stats command. Combined with above:

  |eval totalCount = cCount + lCount |stats max(totalCount)

If you want all the rows that you had previously, then you can tack it on with eventstats:

 |eval totalCount = cCount + lCount 
 |eventstats max(totalCount) as maxTotal 
 |table cCount, lCount, totalCount, maxTotal

If you want to single out the row with the max:

  |eval totalCount = cCount + lCount 
  |eventstats max(totalCount) as maxTotal 
  |where totalCount = maxTotal
  |table cCount, lCount, totalCount, maxTotal

rbardonetorian
Path Finder

Nice addition... Very thoughtful.. Thanks!

0 Karma

reed_kelly
Contributor

Add an

|eval totalCount = cCount + lCount

to your search.

JelianeL
Explorer

Thanks to you, I solved my previous problem 🙂

Another question with ---> max(totalCount)

How do I display it together with other fields?

Currently only return totalCount.

I tried by message, it does give me message but it returns me all the events.

0 Karma

JelianeL
Explorer

Thank you for your links =D will take a look at it.

0 Karma

reed_kelly
Contributor

Also, the addtotals command may help you:

...|addtotals fieldname=totalCount *Count

If it would help you in learning Splunk commands, check out my Quizlet set on Search Commands:

http://quizlet.com/11171217/splunk-search-commands-flash-cards/

reed_kelly
Contributor

The eval command creates the field totalCount if it does not exist. Take a look at the doc on eval:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

It's a good command to take a close look at. Check the Functions for eval and where as well.

JelianeL
Explorer

Hi thanks for your reply.

But in my fields there is no totalCount.

So if I add |eval totalCount = cCount(9) + lCount(11)

By right, it will display a field totalCount?

And give me the value 20?

How should I go about to "declare" totalCount?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...