Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help creating search to retrieve the results of the sum of Pb + Pb2 + Pb3 classed by name and town

jip31
Motivator
‎04-08-2022 08:51 AM

hello

At the end of this subsearch I would like to be able to retrieve the results of the sum of Pb + Pb2 + Pb3 classed by name and town

 

index=abc sourcetype=toto
| search rtt > 200 
| stats avg(rtt) as rtt by name town
| eval Pb=if(rtt>200,1,0) 
| search Pb > 0 
| append
    [ search `index=cde sourcetype=tutu 
    | stats avg(logon) as logon by name town 
    | eval Pb2=if(logon>300,1,0) 
    | search Pb2 > 0 ] 
| append
    [ search index=efg sourcetype=titi
    | stats dc(id) as id by name town
    | eval Pb3=if(id>2,1,0)
     search Pb3 >5]

 

something like this

 

| stats sum(Pb1 + Pb2 + Pb3) by name town

 

could you help please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-09-2022 12:22 AM

Appendcols will cheat you here - there's no guarantee that all three searches will give you your partial results in the same order so the additional columns will most probably not match the earlier results.

But apart from that, let's for now assume that we're using append instead of trying to rework the search into a single one. So starting with your initial search

index=abc sourcetype=toto
| search rtt > 200 
| stats avg(rtt) as rtt by name town
| eval Pb=if(rtt>200,1,0) 
| search Pb > 0 
| append
    [ search `index=cde sourcetype=tutu 
    | stats avg(logon) as logon by name town 
    | eval Pb2=if(logon>300,1,0) 
    | search Pb2 > 0 ] 
| append
    [ search index=efg sourcetype=titi
    | stats dc(id) as id by name town
    | eval Pb3=if(id>2,1,0)
     search Pb3 >5]

 We land with some stats having name, town and a field of Pb, Pb2 or Pb3.

So now just create an artificial field from those three:

| eval temp = coalesce(Pb,Pb2,Pb3)

And sum them up

| stats sum(temp) as sum_of_Pbs by name town

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-08-2022 10:01 AM

You almost had it!  Use the eval function within stats.

| stats sum(eval(Pb1 + Pb2 + Pb3)) by name town

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-09-2022 12:07 AM

Hi

I have 2 problems

1) if i use your example, I have the message 

Error in 'stats' command: You must specify a rename for the aggregation specifier on the dynamically evaluated field 'sum(eval(P1 + P2 ))'.
 
If i am just doing | eval t=(Pb1+Pb2+Pb3) | stats sum(t) by.... , it works
 
2) When I run the search, the result for "t" field works only if the 3 conditions are true, so my result is always 3
In the t field, I would like to have 0, 1, 2 or 3
Here is my search

 

`index` 
| search rtt > 200 
| stats avg(rtt) as rtt by name town site 
| eval Pb1=if(rtt>200,1,0) 
| search Pb1 > 0 
| appendcols 
    [ search `index` 
    | stats avg(logon) as logon by name town 
    | eval Pb2=if(logon>30000,1,0) 
    | search Pb2 > 0 ] 
| appendcols 
    [ search `index`  
    | stats dc(id) as id by name town 
    | eval Pb3=if(id>0,1,0) 
    | search Pb3>0
        ] 
| eval t=(Pb1+Pb2+Pb3) 
| stats sum(t) by name town

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-09-2022 12:22 AM

Appendcols will cheat you here - there's no guarantee that all three searches will give you your partial results in the same order so the additional columns will most probably not match the earlier results.

But apart from that, let's for now assume that we're using append instead of trying to rework the search into a single one. So starting with your initial search

index=abc sourcetype=toto
| search rtt > 200 
| stats avg(rtt) as rtt by name town
| eval Pb=if(rtt>200,1,0) 
| search Pb > 0 
| append
    [ search `index=cde sourcetype=tutu 
    | stats avg(logon) as logon by name town 
    | eval Pb2=if(logon>300,1,0) 
    | search Pb2 > 0 ] 
| append
    [ search index=efg sourcetype=titi
    | stats dc(id) as id by name town
    | eval Pb3=if(id>2,1,0)
     search Pb3 >5]

 We land with some stats having name, town and a field of Pb, Pb2 or Pb3.

So now just create an artificial field from those three:

| eval temp = coalesce(Pb,Pb2,Pb3)

And sum them up

| stats sum(temp) as sum_of_Pbs by name town

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-09-2022 02:50 AM

Perfect PickleRick, thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...