Splunk Search

How to add two field values count to another field value?

pranay_adla
Explorer

alt text

I would like to add splunkd count and splunkd_access count as splunkd_total. Remaining table should look like this only. Can anyone help on this.

Tags (2)
0 Karma
1 Solution

vnravikumar
Champion

Hi

Try this

index=_internal |eval sourcetype = if(sourcetype =="splunkd" OR sourcetype =="splunkd_access","splunkd_total",sourcetype)
| stats count by sourcetype

View solution in original post

0 Karma

vnravikumar
Champion

Hi

Try this

index=_internal |eval sourcetype = if(sourcetype =="splunkd" OR sourcetype =="splunkd_access","splunkd_total",sourcetype)
| stats count by sourcetype
0 Karma

pranay_adla
Explorer

Thanks Ravi,

Same way can we subtract splunkd_access count from splunkd count?

0 Karma

vnravikumar
Champion

Give a try

index=_internal 
| stats count by sourcetype 
| transpose 0 header_field=sourcetype 
| eval splunkd_total = splunkd + splunkd_access 
| eval splunkd_diff = splunkd - splunkd_access 
| fields - splunkd, splunkd_access 
| transpose 
| where column !="column"
0 Karma

pranay_adla
Explorer

ravi small help if my field looks like this "HL7 - Its Duplicate Y". Eval not working can give me solution

0 Karma

vnravikumar
Champion

try with single quote 'HL7 - Its Duplicate Y'

0 Karma

pranay_adla
Explorer

Not working '-' accepts only number's getting this message

0 Karma

pranay_adla
Explorer

thank worked

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pranay_adla

Is that what you looking for?

index=_internal | stats count by sourcetype | replace splunkd* with splunkd_total in sourcetype | stats sum(count) as count by sourcetype
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...