Splunk Search

How to SUM each row that contain comma

slamety
New Member

Hii All,

I'm new on Splunk and my english isn't too good, so I'm sorry if any mistake in here.

I have a file values. txt log that contain 3 rows, like these:
16,17,21,87,34,45,19,29,23,25
17,27,18,45,66,34,56,65,22,24
18,16,45,17,18,3,56

there simple thing, I want to SUM each row from this file. How to do it?
as information, since in this file not contain any host, timestamp and so on, when upload this file, I created manually :
host = server_txt
timestamp=current time
source=values.txt
source_type=sum_txt

thank you very much

Tags (2)
0 Karma

jeffland
Champion

Yeah, you may be interested in a total, but I think it's addtotals because you want the sum of each row.

On another note, you should consider the way your data is saved to file and indexed. Have a look at the logging best practices to get some basic ideas. The reason I'm saying this is because while you may know what this data is supposed to stand for (and how to interpret it), it is completely unlabeled (except for the host, filename/source/sourcetype), so there is very little in this data you can use later to correlate it with other information you have. In short, you (and anyone else for that matter) will never be able to easily use this data other than to look at the sum of each row here.

If you somehow can, you should really try to use key=value pairs, include the actual timestamp of those events in these files (they can be in any format - epoch, human readable, anything really), and at least add some information about what each row stands for. Much of this could be done if you included a header in your file and an identifier for each row, so that it looks more like this:

"time","component","temperature_1","value_2",...
<any actual timestamp>,rack1,16,17,...
<any actual timestamp>,rack2,16,17,...
<any actual timestamp>,psu,16,17,...

See how these little additions radically improve the amount of information you can retrieve? It will be hard to work with your data (for everyone else even more) if you just index a simple row of undescript numbers.

0 Karma

vganjare
Builder

Hi,

You can try using addcoltotals command? More details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Addcoltotals

Thanks!!

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...