Splunk IT Service Intelligence

How do I sum all field values except one field and show the total in a new field?

maniu1609
Path Finder

Hi Friends,

I have the following statistics as below.

Query:

tag=web_app_access|timechart count by status 

Result:

_time                       200         400  403  404  503  505
2018-09-28 00:00:00   109         0 1   1   2   3   
2018-09-28 00:30:00 79        6 0   0   2   4   
2018-09-28 01:00:00 91        1 1   2   3   1   

Now i'm trying to sum all field values except field values from '200' field using below query

Query:

tag=web_app_access|timechart count by status |  eval total=('400'+'403'+'404'+'503'+'505')

Result:

_time                          200      400  403  404  503  505  total
2018-09-28 00:00:00   109         0 1   1   2   3      7
2018-09-28 00:30:00 79        6 0   0   2   4    12
2018-09-28 01:00:00 91        1 1   2   3   1      8

In this case we have 5 fields to be summed up hence we used eval total=('400'+'403'+'404'+'503'+'505'). What if there are 100+ fields and we need to sum their values? Is there any way or method to sum the field values instead of manually mentioning them?

0 Karma
1 Solution

Sukisen1981
Champion

In case you are just trying to exclude '200' which looks like the case , maybe you want to eliminate successful calls from the total why not use something like this?

 tag=web_app_access|timechart count by status | addtotals | eval Total=Total-'200'

View solution in original post

Sukisen1981
Champion

In case you are just trying to exclude '200' which looks like the case , maybe you want to eliminate successful calls from the total why not use something like this?

 tag=web_app_access|timechart count by status | addtotals | eval Total=Total-'200'

View solution in original post

maniu1609
Path Finder

Thanks @Sukisen1981 . Works perfectly.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!