Solved: How to add value in two fields based on their name...

phularah · ‎01-27-2023

Hi, I would like to add value in two fields based on their name. I want the output as sum of traffic_in#fw1+traffic_out#fw1 and so on by _time.

yuanliu · ‎01-28-2023

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']

View solution in original post

yuanliu · ‎01-28-2023

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']

phularah · ‎01-29-2023

Yes, that's exactly what I wanted.

gcusello · ‎01-27-2023

HI @phularah,

did you tried with addtotals command (https://splunkonbigdata.com/usage-of-splunk-commands-addtotals/)?

Ciao.

Giuseppe

phularah · ‎01-28-2023

Hi, @gcusello,

addtotals would add all the field values, which I don't want.

I want the sum of the fields in such a way that it only adds up the fw values, like traffic_infw1+traffic_outfw1, traffic_infw2+traffic_outw2, traffic_infw3+traffic_outfw3 and so on. Now, fw can change and so do their numbers.

So, if I have 10 fields initially, I should get 5 fields after the summation of required field values. and after that timechart would show 5 graphical lines.

Like in the screenshot shared in the question, I would want sum of field values of 1st and 5th field, 2nd and 6th, 3rd and 7th and 4th and 8th fields.

gcusello · ‎01-29-2023

Hi @phularah ,

if the field names are fixed, you can use eval to sum some selected values.

Ciao.

Giuseppe

How to add value in two fields based on their name?

chart

fields

timechart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?