Solved: Re: Need help with a splunk search

phularah · ‎01-27-2023

Hi, I would like to add value in two fields based on their name. I want the output as sum of traffic_in#fw1+traffic_out#fw1 and so on by _time.

yuanliu · ‎01-28-2023

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']

View solution in original post

yuanliu · ‎01-28-2023

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']

phularah · ‎01-29-2023

Yes, that's exactly what I wanted.

gcusello · ‎01-27-2023

HI @phularah,

did you tried with addtotals command (https://splunkonbigdata.com/usage-of-splunk-commands-addtotals/)?

Ciao.

Giuseppe

phularah · ‎01-28-2023

Hi, @gcusello,

addtotals would add all the field values, which I don't want.

I want the sum of the fields in such a way that it only adds up the fw values, like traffic_infw1+traffic_outfw1, traffic_infw2+traffic_outw2, traffic_infw3+traffic_outfw3 and so on. Now, fw can change and so do their numbers.

So, if I have 10 fields initially, I should get 5 fields after the summation of required field values. and after that timechart would show 5 graphical lines.

Like in the screenshot shared in the question, I would want sum of field values of 1st and 5th field, 2nd and 6th, 3rd and 7th and 4th and 8th fields.

gcusello · ‎01-29-2023

Hi @phularah ,

if the field names are fixed, you can use eval to sum some selected values.

Ciao.

Giuseppe

How to add value in two fields based on their name?

chart

fields

timechart

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7