Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sum all field values except one field and show the total in a new field?

maniu1609
Path Finder
‎09-29-2018 10:19 AM

Hi Friends,

I have the following statistics as below.

Query:

tag=web_app_access|timechart count by status

Result:

_time                       200         400  403  404  503  505
2018-09-28 00:00:00   109         0 1   1   2   3   
2018-09-28 00:30:00 79        6 0   0   2   4   
2018-09-28 01:00:00 91        1 1   2   3   1

Now i'm trying to sum all field values except field values from '200' field using below query

Query:

tag=web_app_access|timechart count by status |  eval total=('400'+'403'+'404'+'503'+'505')

Result:

_time                          200      400  403  404  503  505  total
2018-09-28 00:00:00   109         0 1   1   2   3      7
2018-09-28 00:30:00 79        6 0   0   2   4    12
2018-09-28 01:00:00 91        1 1   2   3   1      8

In this case we have 5 fields to be summed up hence we used eval total=('400'+'403'+'404'+'503'+'505'). What if there are 100+ fields and we need to sum their values? Is there any way or method to sum the field values instead of manually mentioning them?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-29-2018 10:43 PM

In case you are just trying to exclude '200' which looks like the case , maybe you want to eliminate successful calls from the total why not use something like this?

 tag=web_app_access|timechart count by status | addtotals | eval Total=Total-'200'

View solution in original post

Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-29-2018 10:43 PM

In case you are just trying to exclude '200' which looks like the case , maybe you want to eliminate successful calls from the total why not use something like this?

 tag=web_app_access|timechart count by status | addtotals | eval Total=Total-'200'
Reply
Solved! Jump to solution

maniu1609
Path Finder
‎09-30-2018 12:56 AM

Thanks @Sukisen1981 . Works perfectly.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...