Solved: How to add two field values count to another field...

pranay_adla · ‎06-07-2019

I would like to add splunkd count and splunkd_access count as splunkd_total. Remaining table should look like this only. Can anyone help on this.

vnravikumar · ‎06-07-2019

Hi

Try this

index=_internal |eval sourcetype = if(sourcetype =="splunkd" OR sourcetype =="splunkd_access","splunkd_total",sourcetype)
| stats count by sourcetype

View solution in original post

vnravikumar · ‎06-07-2019

Hi

Try this

index=_internal |eval sourcetype = if(sourcetype =="splunkd" OR sourcetype =="splunkd_access","splunkd_total",sourcetype)
| stats count by sourcetype

pranay_adla · ‎06-07-2019

Thanks Ravi,

Same way can we subtract splunkd_access count from splunkd count?

vnravikumar · ‎06-07-2019

Give a try

index=_internal 
| stats count by sourcetype 
| transpose 0 header_field=sourcetype 
| eval splunkd_total = splunkd + splunkd_access 
| eval splunkd_diff = splunkd - splunkd_access 
| fields - splunkd, splunkd_access 
| transpose 
| where column !="column"

pranay_adla · ‎06-07-2019

ravi small help if my field looks like this "HL7 - Its Duplicate Y". Eval not working can give me solution

vnravikumar · ‎06-07-2019

try with single quote 'HL7 - Its Duplicate Y'

pranay_adla · ‎06-10-2019

Not working '-' accepts only number's getting this message

pranay_adla · ‎06-07-2019

thank worked

kamlesh_vaghela · ‎06-07-2019

@pranay_adla

Is that what you looking for?

index=_internal | stats count by sourcetype | replace splunkd* with splunkd_total in sourcetype | stats sum(count) as count by sourcetype

How to add two field values count to another field value?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms