Splunk Search

Adding Integers/numerical data in 2 multivalue fields to a new field

jaysonpryde
Path Finder

Hi All,

I think the subject of my questions says it all... I wanted to add numerical data from 2 multivalue fields, and save it to a new field. 

Field1Field2Field3
4812
8917
325

 

I know mvappend is not the one to be used here, but I already tried:

 

| eval field3=mvappend(field1,field2)

 

Any ideas are greatly appreciated?

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval field3=mvzip(field1,field2,"!")
| eval field3=mvmap(field3,tonumber(mvindex(split(field3,"!"),0))+tonumber(mvindex(split(field3,"!"),1)))

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval field3=mvzip(field1,field2,"!")
| eval field3=mvmap(field3,tonumber(mvindex(split(field3,"!"),0))+tonumber(mvindex(split(field3,"!"),1)))

jaysonpryde
Path Finder

You're indeed a legend @ITWhisperer . Thank you very much!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Are you looking for this?

YOUR_SEARCH
| eval a=1 | accum a
| stats sum(Field1) as sum_Field1 sum(Field2) as sum_Field2 list(*) as * by a
| eval Field3= sum_Field1+sum_Field2 | fields Field*

 

My Sample Search :

| makeresults | eval _raw="Field1	Field2
4|2	8|5	12
8|2	9|2	17
3|2	2|2	5" | multikv forceheader=1 | eval Field1=split(Field1,"|"),Field2=split(Field2,"|")
| table Field1	Field2 
| rename comment as "Upto Now is sample data only" 
| eval a=1 | accum a
| stats sum(Field1) as sum_Field1 sum(Field2) as sum_Field2 list(*) as * by a
| eval Field3= sum_Field1+sum_Field2 | fields Field*


 Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

jaysonpryde
Path Finder

Hi @kamlesh_vaghela , thanks a lot for your feedback.

However,  your proposed solution is actually getting the sum of Field1 and Field2.

I am not up to that. As mentioned, I want each row/entry of the the multivalue fields 1 & 2, to be added, and saved on fied 3... Again, what I require is a per entry operation.

Again, thanks a lot for your reply.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

As you said multivalued ( single field with multiple values) field so I though field1 and field2 is multivalued.

As per your provided example in question, did you tried simply addition?

 like

| eval field3=field1 + field2

 

😕

 

Or I think I'm still not clear about your expectations.

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Try this

| eval Field3=tonumber(Field1) + tonumber(Field2)
0 Karma

jaysonpryde
Path Finder

still not working... I think you can't just simply add multivalue fields directly.

But still, thanks a lot for your comments. greatly appreciate it

0 Karma

jaysonpryde
Path Finder

Hmm... the solution you provided is not working for me. I always get empty results in field3

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Can you please share sample OP from this ?

YOUR_SEARCH | head 3
| table Field1	Field2 

 

0 Karma

jaysonpryde
Path Finder

example field1 and field2example field1 and field2

Like what I placed in my initial post, it's just 2 multivalue fields.

I got the 2 multivalue fields from this search:

| stats list(field1) as field1, list(field2) as field2 by group_name

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Is is possible to add before stats? like 

YOUR_SEARCH
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2,list(field3) as field3 by group_name

 

| makeresults 
| eval _raw="field1,field2,group_name
4,8,A
8,9,A
3,2,A" 
| multikv forceheader=1 
| rename comment as "Upto Now is sample data only" 
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2,list(field3) as field3 by group_name
0 Karma

jaysonpryde
Path Finder

not possible since field1 and field2 are results from operations / evaluations.

I just simplified it on my original post.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jaysonpryde 

Then I think this will help you.

YOUR_SEARCH
| stats list(field1) as field1, list(field2) as field2 by group_name
| eval t=mvzip(field1,field2)
| mvexpand t
| eval field1=mvindex(split(t,","),0),field2=mvindex(split(t,","),0) | fields - t
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2, list(field3) as field3 by group_name

 

My Sample Search :

| makeresults 
| eval _raw="field1,field2,group_name
4,8,A
8,9,A
3,2,A" 
| multikv forceheader=1 
| rename comment as "Upto Now is sample data only" 
| stats list(field1) as field1, list(field2) as field2 by group_name
| eval t=mvzip(field1,field2)
| mvexpand t
| eval field1=mvindex(split(t,","),0),field2=mvindex(split(t,","),0) | fields - t
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2, list(field3) as field3 by group_name
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...