Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Summarize on distinct value?

hvdtol
Path Finder
‎08-16-2023 10:38 PM

Hello there,

I would like some help with my query.

I want to summarize 2 fields into 2 new columns

One field is unique, but the other is not
The field fhost is not unique.

I want the sum of field "cores" by unique combination of the columns    "clname" and  "fhost"

I am struggle how to do this properly and how i can use the sum unique for column "fhost"

| makeresults
| eval clname="clusterx", fhost="f-hosta", vhost="v-hosta",cores=2,cpu=1
| append [| makeresults | eval clname="clusterx", fhost="f-hosta", vhost="v-hostb" ,cores=2,cpu=1 ]
| append [| makeresults | eval clname="clusterx", fhost="f-hostb", vhost="v-hostc" ,cores=4,cpu=1 ]
| append [| makeresults | eval clname="clusterx", fhost="f-hostc", vhost="v-hostd" ,cores=6,cpu=1 ]

| eventstats sum(cpu) as total_vhost_cpus by clname

``` This is not working ```
| eventstats sum(cores) as total_fhost_cores by clname fhost

`` The output should be in table format ```

| table clname cores cpu fhost vhost  total_vhost_cpus  total_fhost_cores

Thank you in advance.

Harry

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-17-2023 02:22 AM

Assuming cores relates to fhosts and cpus relates to vhosts, your data has mixed where these counts are coming from, so you need to split them out. Try something like this

| makeresults
| eval clname="clusterx", fhost="f-hosta", vhost="v-hosta",cores=2,cpu=1
| append [| makeresults | eval clname="clusterx", fhost="f-hosta", vhost="v-hostb" ,cores=2,cpu=1 ]
| append [| makeresults | eval clname="clusterx", fhost="f-hostb", vhost="v-hostc" ,cores=4,cpu=1 ]
| append [| makeresults | eval clname="clusterx", fhost="f-hostc", vhost="v-hostd" ,cores=6,cpu=1 ]
| eval fhost-{fhost}=cores
| eventstats values(fhost-*) as fhost-cores-* by clname
| eval total_fhost_cores=0
| foreach fhost-cores-*
    [| eval total_fhost_cores=total_fhost_cores + '<<FIELD>>']
| fields - fhost-*
| eventstats sum(cpu) as total_vhost_cpus by clname
| table clname cores cpu fhost vhost  total_vhost_cpus  total_fhost_cores

btw, unless you are working in base 12, 2+4+6=12 not 10!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-16-2023 11:20 PM

It would help if you describe what "this is not working" actually means.  What is the result you get and what is the result you expect?  What is the logic between your data and your expected result?

Using your sample data and your sample stats, this is the table

clnamecorescpufhostvhosttotal_vhost_cpustotal_fhost_cores
clusterx21f-hostav-hosta44
clusterx21f-hostav-hostb44
clusterx41f-hostbv-hostc44
clusterx61f-hostcv-hostd46

Can you explain why this not what you expect?  What is the problem you are trying to solve using two eventstats command with raw events, not a stats?

0 Karma
Reply
Solved! Jump to solution

hvdtol
Path Finder
‎08-17-2023 12:29 AM

Sorry, i was not clear. I am trying to get a sum of unique fhost by cluster.

So the outcome should be
f-hosta cores=2 f-hostb cores=4 f-hostc cores=6

2+4+6=10 in field "total_fhost_cores"

Regards, Harry

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-17-2023 02:22 AM

Assuming cores relates to fhosts and cpus relates to vhosts, your data has mixed where these counts are coming from, so you need to split them out. Try something like this

| makeresults
| eval clname="clusterx", fhost="f-hosta", vhost="v-hosta",cores=2,cpu=1
| append [| makeresults | eval clname="clusterx", fhost="f-hosta", vhost="v-hostb" ,cores=2,cpu=1 ]
| append [| makeresults | eval clname="clusterx", fhost="f-hostb", vhost="v-hostc" ,cores=4,cpu=1 ]
| append [| makeresults | eval clname="clusterx", fhost="f-hostc", vhost="v-hostd" ,cores=6,cpu=1 ]
| eval fhost-{fhost}=cores
| eventstats values(fhost-*) as fhost-cores-* by clname
| eval total_fhost_cores=0
| foreach fhost-cores-*
    [| eval total_fhost_cores=total_fhost_cores + '<<FIELD>>']
| fields - fhost-*
| eventstats sum(cpu) as total_vhost_cpus by clname
| table clname cores cpu fhost vhost  total_vhost_cpus  total_fhost_cores

btw, unless you are working in base 12, 2+4+6=12 not 10!

0 Karma
Reply
Solved! Jump to solution

hvdtol
Path Finder
‎08-17-2023 02:37 AM

Of course is should be 12.  I am ashamed.😏

But thank you very much

The | eval fhost-{fhost}=cores is a very nice solution
I did not know thos was possible.

Thank you for your help

Regards,

Harry

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...