Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Eval and sum problemn

jnahuelperez35
Path Finder
‎12-30-2016 09:35 AM

I have a couple events to search for 3 fields

MySearch | eval UTCOD=if((FIRSTACT=5 and SECONDACT=2), 1, 0) | eval UTCOQ=if((FIRSTACT=5) and (SECONDACT=4) and (STATFLAG=0), 1, 0) | eval UTSQ=if((FIRSTACT=5) and (SECONDACT=4) and (STATFLAG=4), 1, 0) | stats sum(UTCOD) as total, sum(UTCOQ) as total, sum(UTSQ) as total

This provide's me just the last "total" that i'm sum (sum UTSQ)

What i need is to get the total of the 3 evaluations UTCOD + UTCOQ + UTSQ with a Single Value as the sum of three.

regards!

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Eval and sum problemn

arkadyz1
Builder
‎12-30-2016 09:43 AM

First of all, you try to name three different stats with the same name - not sure what you want to achieve with that.
Second, replace your last | stats ... with something like this:
| eval all_UT=UTCOD+UTCOQ+UTSQ | status sum(all_UT) as total

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: Eval and sum problemn

jnahuelperez35
Path Finder
‎12-30-2016 09:58 AM

That's what i want it to happen. i was assuming that the stats sum(variable) , sum (variable2) will acumulate results in "total" variable. What you suggest is the correct answer.

Thanks a Lot!

0 Karma
Reply