Splunk Search

How to SUM each row that contain comma

slamety
New Member

Hii All,

I'm new on Splunk and my english isn't too good, so I'm sorry if any mistake in here.

I have a file values. txt log that contain 3 rows, like these:
16,17,21,87,34,45,19,29,23,25
17,27,18,45,66,34,56,65,22,24
18,16,45,17,18,3,56

there simple thing, I want to SUM each row from this file. How to do it?
as information, since in this file not contain any host, timestamp and so on, when upload this file, I created manually :
host = server_txt
timestamp=current time
source=values.txt
source_type=sum_txt

thank you very much

Tags (2)
0 Karma

jeffland
SplunkTrust
SplunkTrust

Yeah, you may be interested in a total, but I think it's addtotals because you want the sum of each row.

On another note, you should consider the way your data is saved to file and indexed. Have a look at the logging best practices to get some basic ideas. The reason I'm saying this is because while you may know what this data is supposed to stand for (and how to interpret it), it is completely unlabeled (except for the host, filename/source/sourcetype), so there is very little in this data you can use later to correlate it with other information you have. In short, you (and anyone else for that matter) will never be able to easily use this data other than to look at the sum of each row here.

If you somehow can, you should really try to use key=value pairs, include the actual timestamp of those events in these files (they can be in any format - epoch, human readable, anything really), and at least add some information about what each row stands for. Much of this could be done if you included a header in your file and an identifier for each row, so that it looks more like this:

"time","component","temperature_1","value_2",...
<any actual timestamp>,rack1,16,17,...
<any actual timestamp>,rack2,16,17,...
<any actual timestamp>,psu,16,17,...

See how these little additions radically improve the amount of information you can retrieve? It will be hard to work with your data (for everyone else even more) if you just index a simple row of undescript numbers.

0 Karma

vganjare
Builder

Hi,

You can try using addcoltotals command? More details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Addcoltotals

Thanks!!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...