Add values together for report

Dragonnet · ‎10-26-2010

I have a SYSLOG output from a netscreen. There are two fields in each record that contain a value (sent) and (rcvd). I have enclosed an example below. I want to create a bar chart that will show the sum of these two values for the top ten IP addresses in (dst)

I have tried various syntaxes in the report command pipe * | timechart sum(sent) by dst

| timechart sum(sent+rcvd) by dst
| timechart sum((sent)+(rcvd)) by dst
| timechart sum((sum(sent)+(sum(rcvd)) by dst

But clearly I am missing something in the syntax

ssg5-serial: NetScreen device_id=0162102007000604 [Root]system-notification-00257(traffic): start_time="2010-10-26 11:34:30" duration=4 policy_id=6 service=icmp proto=1 src zone=Untrust dst zone=Trust action=Permit sent=78 rcvd=78 src=212.21.121.89 dst=212.21.101.193 icmp type=8 src-xlated ip=212.21.121.89 dst-xlated ip=212.21.101.193 session_id=2607 reason=Close - RESP\x00

bwooden · ‎10-26-2010

One way...

 ... | timechart eval(sum(sent)+sum(rcvd)) by dst

Add values together for report

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation

Add values together for report

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling