Splunk Search

Customized Sum Condition

hollybross1219
Path Finder

I have the following query:

splunk_server=indexer* index=wsi sourcetype=fdpwsiperf (channel_type=ofx2 OR agent_service=OfxAgent) domain=tax api_version=v1 capability=* tax_year=2019 NOT *test* NOT *jmeter-automation* ofx_codes!="[15500,2000]"
| lookup Provider_Alert.csv Provider_ID AS partnerId OUTPUT Tier Form_Type
| search Tier=Tier1
| eval time_bucket=case(_time>=relative_time(now(),"-1h"), "last_hour", 1==1, "prior_hour")
| eval error_type=case(error_code_host="2000", "OFX_2000", error_code_service IN ("5000","5001"), "provider_unavailable", like(http_status_code_host,"5%"), "HTTP_500",1==1,"null")
| eval combo=partnerId."::".provider_id."::".Form_Type."::".host_base_url."::".error_type
| chart dc(intuit_tid) as total_requests by combo time_bucket
| eval partnerId=mvindex(split(combo,"::"),0)
| eval provider_id=mvindex(split(combo,"::"),1)
| eval Form_Type=mvindex(split(combo,"::"),2)
| eval host_base_url=mvindex(split(combo,"::"),3)
| eval error_type=mvindex(split(combo,"::"),4)
| fields partnerId provider_id Form_Type host_base_url error_type last_hour prior_hour

Which produces a table, where the following result is possible:

partnerIdprovider_idForm_typehost_base_urlerror_typelast_hourprior_hour
partner1XYZFormAurlBnull5030
partner1XYZFormAurlBHTTP 5001220
partner2ABCFormBurlZnull2030

 

I would like to add a column that sums values in last_hour according to grouping by partnerId, so that the above example, I would have another column (ie. extra_column) that has 62 (ie. 50 + 12 = 62) in the two rows for partner1.

Extra note: I need the volume breakdown by error_type, but not in a chart format.

How can I achieve this?

Labels (2)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Try adding below to your search

 

your search
|eventstats sum(last_hour) as last_hour_sum by partnerId

 

Also

can't you change 

 eval combo=partnerId."::".provider_id."::".Form_Type."::".host_base_url."::".error_type
| chart dc(intuit_tid) as total_requests by combo time_bucket
| eval partnerId=mvindex(split(combo,"::"),0)
| eval provider_id=mvindex(split(combo,"::"),1)
| eval Form_Type=mvindex(split(combo,"::"),2)
| eval host_base_url=mvindex(split(combo,"::"),3)
| eval error_type=mvindex(split(combo,"::"),4)

with

|stats dc(intuit_tid) as total_requests by partnerId,provider_id,Form_Type,host_base_url,error_type
0 Karma