Solved: How to iterate multivalue filed and get sum of val...

user9025 · ‎12-14-2022

I have a splunk log as :

Client Map Details : {A=123, B=245, C=456}

The Map can contain more values apart from these 3, or less values, may be 0 to 10 enteries.

I want to get sum of all the values of map and plot in graph, for eg, for above 123+245+456=X, then I need to plot X on graph.

I am able to get the multivalue field as:

index=temp  sourcetype="xyz" "Client Map Details : " | rex field=_raw "Client Map Details \{(?<map>[A-Z_0-9= ,]+)\}" | eval temp=split(map,",")

Output from above is

A=123
 B=245
 C=456

Now how can I iterate over each value from temp and then split by "=" and get value of each? Or is there a better way to do this?

Also how do i plot graph for this?

ITWhisperer · ‎12-14-2022

| rex "\{(?<details>[^\}]+)\}"
| rex max_match=0 field=details "\w+=(?<value>\d+)"
| eventstats sum(value) as sum by _raw

ITWhisperer · ‎12-14-2022

| rex "\{(?<details>[^\}]+)\}"
| rex max_match=0 field=details "\w+=(?<value>\d+)"
| eventstats sum(value) as sum by _raw

How to iterate multivalue filed and get sum of values