Splunk Search
Highlighted

Eval and sum problemn

Path Finder

I have a couple events to search for 3 fields

MySearch | eval UTCOD=if((FIRSTACT=5 and SECONDACT=2), 1, 0) | eval UTCOQ=if((FIRSTACT=5) and (SECONDACT=4) and (STATFLAG=0), 1, 0) | eval UTSQ=if((FIRSTACT=5) and (SECONDACT=4) and (STATFLAG=4), 1, 0) | stats sum(UTCOD) as total, sum(UTCOQ) as total, sum(UTSQ) as total

This provide's me just the last "total" that i'm sum (sum UTSQ)

What i need is to get the total of the 3 evaluations UTCOD + UTCOQ + UTSQ with a Single Value as the sum of three.

regards!

0 Karma
Highlighted

Re: Eval and sum problemn

Builder

First of all, you try to name three different stats with the same name - not sure what you want to achieve with that.
Second, replace your last | stats ... with something like this:
| eval all_UT=UTCOD+UTCOQ+UTSQ | status sum(all_UT) as total

View solution in original post

Re: Eval and sum problemn

Path Finder

That's what i want it to happen. i was assuming that the stats sum(variable) , sum (variable2) will acumulate results in "total" variable. What you suggest is the correct answer.

Thanks a Lot!

0 Karma