Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I run stats sum as command on same search for two different values?

tonahoyos
Explorer
‎10-09-2017 02:19 PM

I have the following search:

index="data_integration" host="sampledata" sourcetype="csv" Object_Account="4*" OR Object_Account="5*"|stats sum("Domestic _Amount") AS CM

and the following second search:

index="data_integration" host="sampledata" sourcetype="csv" Object_Account="4*"| stats sum("Domestic _Amount") AS Sales

I want to be able to divide CM/Sales. What is the best command or the best way to join these two searches in order to do the division?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-09-2017 02:36 PM

Hi tonahoyos,

you can try something like this:

source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount, "5%"),DomesticAmount,0)
| stats sum(Sales) as Sales, sum(Costs) as Costs 
| eval CM=Sales+Costs 
| eval CMPer=CM/Sales

The first eval checks the Object_Account and sets the value used, this value is used in the stats to sum the total number.
This is untested, so please bear in mind that you might need to adapt this to your actual events, but it should help you to get you going.

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution

tonahoyos
Explorer
‎10-13-2017 10:14 AM

Hello everyone,

I tried a different way to solve the problem. I am getting close, but my Cost ("5*") do not sum, the if statement throws out the 0 instead. What can I do to fix this? Should I try a different command?

source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"
| stats sum(eval(if(ObjectAccount="411010",DomesticAmount,0))) as Sales, sum(eval(if(ObjectAccount="5*",DomesticAmount,0))) as Costs
| eval CM=Sales+Costs
| eval CMPer=CM/Sales

Thank you for all the help!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-11-2017 12:10 PM

Is there really a space in "Domestic _Amount"? I can't imagine why someone would name a field that.

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-09-2017 05:27 PM

Hey @tonahoyos, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma
Reply
Solved! Jump to solution

justinatpnnl
Communicator
‎10-09-2017 04:38 PM

Here is another way to do this with a single stats command using an inline eval:

index="data_integration" host="sampledata" sourcetype="csv" Object_Account="4*" OR Object_Account="5*"
| stats sum("Domestic _Amount") as CM, sum( eval( if( Object_Account like "4%", 'Domestic _Amount', 0 ))) as Sales
| eval ratio = Sales / CM
0 Karma
Reply
Solved! Jump to solution

tonahoyos
Explorer
‎10-11-2017 11:29 AM

Hello justinatpnnl,

First, I appreciate your help! I have tested the search and it seems as if there is an issue with the following:

sum( eval( if( Object_Account like "4%", 'Domestic _Amount', 0 ))) as Sales

The CM amount shows up, but the Sales amount never does. I have played with it and moved it around a little bit, but I have not been able to sum the Object_Account="4*" amounts.

Also, I have a question about the if statement. Does it mean that if the object_account contains a 4%, then it will add the Domestic_Amount values, else it turns the value Sales to 0?

0 Karma
Reply
Solved! Jump to solution

tonahoyos
Explorer
‎10-13-2017 10:16 AM

I did the search a different way, but it seems as if the second eval statement is just throwing out the 0 instead of doing the sum, do you see anything wrong with this search?

source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"
| stats sum(eval(if(ObjectAccount="411010",DomesticAmount,0))) as Sales, sum(eval(if(ObjectAccount="5*",DomesticAmount,0))) as Costs
| eval CM=Sales+Costs
| eval CMPer=CM/Sales

0 Karma
Reply
Solved! Jump to solution

justinatpnnl
Communicator
‎10-13-2017 01:42 PM

Within an if statement, you can't use * as a wildcard. You have to use LIKE with % as the wildcard.

if(ObjectAccount LIKE "5%",DomesticAmount, 0)

0 Karma
Reply
Solved! Jump to solution

justinatpnnl
Communicator
‎10-11-2017 11:37 AM

My guess is that Splunk is having trouble with the field that has a space in it. Can you try first renaming that field to something simpler and see if it works? I used the single quotes around Domestic _Amount to hopefully prevent that issue, but I'm wondering if that is the hang up.

For your second question, it is doing a sum on the values returned from the if statement. If it finds a value of 4% (% being a wildcard when using LIKE), then it returns the value of the Domestic _Amount field. Otherwise it returns a zero, so that it doesn't get added to sales.

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-09-2017 02:36 PM

Hi tonahoyos,

you can try something like this:

source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount, "5%"),DomesticAmount,0)
| stats sum(Sales) as Sales, sum(Costs) as Costs 
| eval CM=Sales+Costs 
| eval CMPer=CM/Sales

The first eval checks the Object_Account and sets the value used, this value is used in the stats to sum the total number.
This is untested, so please bear in mind that you might need to adapt this to your actual events, but it should help you to get you going.

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

tonahoyos
Explorer
‎10-11-2017 11:37 AM

Hello MuS,

Thank you for your answer and your time! I have not been able to solve the search. It seems as if there was an issue after the first eval statement. It narrows down the search to the 4* and 5* Object_account numbers, but it does not follow the first eval section correctly.

Thank you for your help, I will keep on working on it.

Best,

0 Karma
Reply
Solved! Jump to solution

tonahoyos
Explorer
‎10-13-2017 10:16 AM

I did the search a different way, but it seems as if the second eval statement is just throwing out the 0 instead of doing the sum, do you see anything wrong with this search?

source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"
| stats sum(eval(if(ObjectAccount="411010",DomesticAmount,0))) as Sales, sum(eval(if(ObjectAccount="5*",DomesticAmount,0))) as Costs
| eval CM=Sales+Costs
| eval CMPer=CM/Sales

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-13-2017 10:59 AM

This is because you use a 5* in the if statement, that does not work. You have to add a like() (pro tip: for easier reading and understanding move eval out of stats - no performance impact at all 😉 😞

source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount, "5%"),DomesticAmount,0)
| stats sum(Sales) as Sales, sum(Costs) as Costs
| eval CM=Sales+Costs
| eval CMPer=CM/Sales

cheers, MuS

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...