Solved: Re: Eval and sum problemn

jnahuelperez35 · ‎12-30-2016

I have a couple events to search for 3 fields

MySearch | eval UTCOD=if((FIRST_ACT=5 and SECOND_ACT=2), 1, 0) | eval UTCOQ=if((FIRST_ACT=5) and (SECOND_ACT=4) and (STAT_FLAG=0), 1, 0) | eval UTSQ=if((FIRST_ACT=5) and (SECOND_ACT=4) and (STAT_FLAG=4), 1, 0) | stats sum(UTCOD) as total, sum(UTCOQ) as total, sum(UTSQ) as total

This provide's me just the last "total" that i'm sum (sum UTSQ)

What i need is to get the total of the 3 evaluations UTCOD + UTCOQ + UTSQ with a Single Value as the sum of three.

regards!

arkadyz1 · ‎12-30-2016

First of all, you try to name three different stats with the same name - not sure what you want to achieve with that.
Second, replace your last | stats ... with something like this:
| eval all_UT=UTCOD+UTCOQ+UTSQ | status sum(all_UT) as total

View solution in original post

arkadyz1 · ‎12-30-2016

First of all, you try to name three different stats with the same name - not sure what you want to achieve with that.
Second, replace your last | stats ... with something like this:
| eval all_UT=UTCOD+UTCOQ+UTSQ | status sum(all_UT) as total

jnahuelperez35 · ‎12-30-2016

That's what i want it to happen. i was assuming that the stats sum(variable) , sum (variable2) will acumulate results in "total" variable. What you suggest is the correct answer.

Thanks a Lot!

Eval and sum problemn

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation