Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add values together for report

Dragonnet
New Member
‎10-26-2010 10:47 AM

I have a SYSLOG output from a netscreen. There are two fields in each record that contain a value (sent) and (rcvd). I have enclosed an example below. I want to create a bar chart that will show the sum of these two values for the top ten IP addresses in (dst)

I have tried various syntaxes in the report command pipe * | timechart sum(sent) by dst

  • | timechart sum(sent+rcvd) by dst
  • | timechart sum((sent)+(rcvd)) by dst
  • | timechart sum((sum(sent)+(sum(rcvd)) by dst

But clearly I am missing something in the syntax

ssg5-serial: NetScreen device_id=0162102007000604 [Root]system-notification-00257(traffic): start_time="2010-10-26 11:34:30" duration=4 policy_id=6 service=icmp proto=1 src zone=Untrust dst zone=Trust action=Permit sent=78 rcvd=78 src=212.21.121.89 dst=212.21.101.193 icmp type=8 src-xlated ip=212.21.121.89 dst-xlated ip=212.21.101.193 session_id=2607 reason=Close - RESP\x00

Tags (2)
0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎10-26-2010 11:11 AM

One way...

 ... | timechart eval(sum(sent)+sum(rcvd)) by dst
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...