Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sum all field values except one field and show the total in a new field?

maniu1609
Path Finder
‎09-29-2018 10:19 AM

Hi Friends,

I have the following statistics as below.

Query:

tag=web_app_access|timechart count by status

Result:

_time                       200         400  403  404  503  505
2018-09-28 00:00:00   109         0 1   1   2   3   
2018-09-28 00:30:00 79        6 0   0   2   4   
2018-09-28 01:00:00 91        1 1   2   3   1

Now i'm trying to sum all field values except field values from '200' field using below query

Query:

tag=web_app_access|timechart count by status |  eval total=('400'+'403'+'404'+'503'+'505')

Result:

_time                          200      400  403  404  503  505  total
2018-09-28 00:00:00   109         0 1   1   2   3      7
2018-09-28 00:30:00 79        6 0   0   2   4    12
2018-09-28 01:00:00 91        1 1   2   3   1      8

In this case we have 5 fields to be summed up hence we used eval total=('400'+'403'+'404'+'503'+'505'). What if there are 100+ fields and we need to sum their values? Is there any way or method to sum the field values instead of manually mentioning them?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-29-2018 10:43 PM

In case you are just trying to exclude '200' which looks like the case , maybe you want to eliminate successful calls from the total why not use something like this?

 tag=web_app_access|timechart count by status | addtotals | eval Total=Total-'200'

View solution in original post

Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-29-2018 10:43 PM

In case you are just trying to exclude '200' which looks like the case , maybe you want to eliminate successful calls from the total why not use something like this?

 tag=web_app_access|timechart count by status | addtotals | eval Total=Total-'200'
Reply
Solved! Jump to solution

maniu1609
Path Finder
‎09-30-2018 12:56 AM

Thanks @Sukisen1981 . Works perfectly.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...