Splunk Search

How to add value in two fields based on their name?

phularah
Communicator

Hi, I would like to add value in two fields based on their name.  I want the output as sum of traffic_in#fw1+traffic_out#fw1 and so on by _time.

phularah_0-1674834255078.png

 

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']

View solution in original post

Tags (1)

yuanliu
SplunkTrust
SplunkTrust

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']
Tags (1)

phularah
Communicator

Yes, that's exactly what I wanted.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @phularah,

did you tried with addtotals command (https://splunkonbigdata.com/usage-of-splunk-commands-addtotals/)?

Ciao.

Giuseppe

0 Karma

phularah
Communicator

Hi, @gcusello,

addtotals would add all the field values, which I don't want.

I want the sum of the fields in such a way that it only adds up the fw values, like traffic_infw1+traffic_outfw1, traffic_infw2+traffic_outw2, traffic_infw3+traffic_outfw3 and so on. Now, fw can change and so do their numbers. 

So, if I have 10 fields initially, I should get 5 fields after the summation of required field values. and after that timechart would show 5 graphical lines.

Like in the screenshot shared in the question, I would want sum of field values of 1st and 5th field, 2nd and 6th, 3rd and 7th and 4th and 8th fields.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @phularah ,

if the field names are fixed, you can use eval to sum some selected values.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...