Solved: Re: Eval and sum problemn

jnahuelperez35 · ‎12-30-2016

I have a couple events to search for 3 fields

MySearch | eval UTCOD=if((FIRST_ACT=5 and SECOND_ACT=2), 1, 0) | eval UTCOQ=if((FIRST_ACT=5) and (SECOND_ACT=4) and (STAT_FLAG=0), 1, 0) | eval UTSQ=if((FIRST_ACT=5) and (SECOND_ACT=4) and (STAT_FLAG=4), 1, 0) | stats sum(UTCOD) as total, sum(UTCOQ) as total, sum(UTSQ) as total

This provide's me just the last "total" that i'm sum (sum UTSQ)

What i need is to get the total of the 3 evaluations UTCOD + UTCOQ + UTSQ with a Single Value as the sum of three.

regards!

arkadyz1 · ‎12-30-2016

First of all, you try to name three different stats with the same name - not sure what you want to achieve with that.
Second, replace your last | stats ... with something like this:
| eval all_UT=UTCOD+UTCOQ+UTSQ | status sum(all_UT) as total

View solution in original post

arkadyz1 · ‎12-30-2016

First of all, you try to name three different stats with the same name - not sure what you want to achieve with that.
Second, replace your last | stats ... with something like this:
| eval all_UT=UTCOD+UTCOQ+UTSQ | status sum(all_UT) as total

jnahuelperez35 · ‎12-30-2016

That's what i want it to happen. i was assuming that the stats sum(variable) , sum (variable2) will acumulate results in "total" variable. What you suggest is the correct answer.

Thanks a Lot!

Eval and sum problemn

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?