Splunk Search

Adding Integers/numerical data in 2 multivalue fields to a new field

jaysonpryde
Path Finder

Hi All,

I think the subject of my questions says it all... I wanted to add numerical data from 2 multivalue fields, and save it to a new field. 

Field1Field2Field3
4812
8917
325

 

I know mvappend is not the one to be used here, but I already tried:

 

| eval field3=mvappend(field1,field2)

 

Any ideas are greatly appreciated?

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval field3=mvzip(field1,field2,"!")
| eval field3=mvmap(field3,tonumber(mvindex(split(field3,"!"),0))+tonumber(mvindex(split(field3,"!"),1)))

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval field3=mvzip(field1,field2,"!")
| eval field3=mvmap(field3,tonumber(mvindex(split(field3,"!"),0))+tonumber(mvindex(split(field3,"!"),1)))

jaysonpryde
Path Finder

You're indeed a legend @ITWhisperer . Thank you very much!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Are you looking for this?

YOUR_SEARCH
| eval a=1 | accum a
| stats sum(Field1) as sum_Field1 sum(Field2) as sum_Field2 list(*) as * by a
| eval Field3= sum_Field1+sum_Field2 | fields Field*

 

My Sample Search :

| makeresults | eval _raw="Field1	Field2
4|2	8|5	12
8|2	9|2	17
3|2	2|2	5" | multikv forceheader=1 | eval Field1=split(Field1,"|"),Field2=split(Field2,"|")
| table Field1	Field2 
| rename comment as "Upto Now is sample data only" 
| eval a=1 | accum a
| stats sum(Field1) as sum_Field1 sum(Field2) as sum_Field2 list(*) as * by a
| eval Field3= sum_Field1+sum_Field2 | fields Field*


 Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

jaysonpryde
Path Finder

Hi @kamlesh_vaghela , thanks a lot for your feedback.

However,  your proposed solution is actually getting the sum of Field1 and Field2.

I am not up to that. As mentioned, I want each row/entry of the the multivalue fields 1 & 2, to be added, and saved on fied 3... Again, what I require is a per entry operation.

Again, thanks a lot for your reply.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

As you said multivalued ( single field with multiple values) field so I though field1 and field2 is multivalued.

As per your provided example in question, did you tried simply addition?

 like

| eval field3=field1 + field2

 

😕

 

Or I think I'm still not clear about your expectations.

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Try this

| eval Field3=tonumber(Field1) + tonumber(Field2)
0 Karma

jaysonpryde
Path Finder

still not working... I think you can't just simply add multivalue fields directly.

But still, thanks a lot for your comments. greatly appreciate it

0 Karma

jaysonpryde
Path Finder

Hmm... the solution you provided is not working for me. I always get empty results in field3

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Can you please share sample OP from this ?

YOUR_SEARCH | head 3
| table Field1	Field2 

 

0 Karma

jaysonpryde
Path Finder

example field1 and field2example field1 and field2

Like what I placed in my initial post, it's just 2 multivalue fields.

I got the 2 multivalue fields from this search:

| stats list(field1) as field1, list(field2) as field2 by group_name

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Is is possible to add before stats? like 

YOUR_SEARCH
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2,list(field3) as field3 by group_name

 

| makeresults 
| eval _raw="field1,field2,group_name
4,8,A
8,9,A
3,2,A" 
| multikv forceheader=1 
| rename comment as "Upto Now is sample data only" 
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2,list(field3) as field3 by group_name
0 Karma

jaysonpryde
Path Finder

not possible since field1 and field2 are results from operations / evaluations.

I just simplified it on my original post.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Then I think this will help you.

YOUR_SEARCH
| stats list(field1) as field1, list(field2) as field2 by group_name
| eval t=mvzip(field1,field2)
| mvexpand t
| eval field1=mvindex(split(t,","),0),field2=mvindex(split(t,","),0) | fields - t
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2, list(field3) as field3 by group_name

 

My Sample Search :

| makeresults 
| eval _raw="field1,field2,group_name
4,8,A
8,9,A
3,2,A" 
| multikv forceheader=1 
| rename comment as "Upto Now is sample data only" 
| stats list(field1) as field1, list(field2) as field2 by group_name
| eval t=mvzip(field1,field2)
| mvexpand t
| eval field1=mvindex(split(t,","),0),field2=mvindex(split(t,","),0) | fields - t
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2, list(field3) as field3 by group_name
0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...