- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Use Eval to add 2 Field Values
Search --
|source1 | stats count(source1.field1) by (source1.field2) | sort 0 source1.field2
- Search Output
source1.field2 | count
dev | 6
prod | 5
uat | 7
qa | 8
- How can we add count values of 'prod' and 'uat' & also to display the field value as below , Is this doable ? *
source1.field2 | count
dev | 6
prod + uat | 12
qa | 8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="Source1_field2,Count
dev,6
prod,5
uat,7
qa,8"
| multikv forceheader=1
| table Source1_field2,Count
| rename COMMENT as "this is sample your stats output"
| transpose 0 header_field=Source1_field2
| eval "prod + uat"=prod+uat
| fields - prod uat
| transpose 0 column_name="Source1_field2" header_field=column
This query aims to aggregate after stats
| makeresults
| eval _raw="Source1_field2,Count
dev,6
prod,5
uat,7
qa,8"
| multikv forceheader=1
| table Source1_field2,Count
| eval range=mvrange(0,Count)
| mvexpand range
| rename COMMENT as "this your log sample, from here, the logic"
| eval Source1_field2=if(Source1_field2="prod" OR Source1_field2="uat","prod + uat",Source1_field2)
| stats count as Count by Source1_field2
This query aims to aggregate "prod + uat"
and others.
Code Sample is useless when multikv forceheader=1
, because extra space is added.
I am troubled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
Like this:
| makeresults count=6
| eval field2="dev"
| append
[| makeresults count=5
| eval field2="prod"]
| append
[| makeresults count=7
| eval field2="uat"]
| append
[| makeresults count=8
| eval field2="qa"]
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| stats count BY field2
| sort 0 field2
| eval env="count"
| xyseries env field2 count
| eval prod_n_uat = prod + uat
| fields - prod uat
| untable env field2 count
| fields - env
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Add an eval
after stats
.
source1 | stats count(source1.field1) by (source1.field2) | eval sum=prod + uat | sort 0 source1.field2
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
Not without tabling it first.
![](/skins/images/396DDBEEAC295EB5FEC41FF128E8AC0A/responsive_peak/images/icon_anonymous_message.png)