Splunk Search

How to add value in two fields based on their name?

phularah
Communicator

Hi, I would like to add value in two fields based on their name.  I want the output as sum of traffic_in#fw1+traffic_out#fw1 and so on by _time.

phularah_0-1674834255078.png

 

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']

View solution in original post

Tags (1)

yuanliu
SplunkTrust
SplunkTrust

Something like this?

| foreach traffic_*#*
    [eval "in_and_out#<<MATCHSEG2>>" = 'traffic_in#<<MATCHSEG2>>' + 'traffic_out#<<MATCHSEG2>>']
Tags (1)

phularah
Communicator

Yes, that's exactly what I wanted.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @phularah,

did you tried with addtotals command (https://splunkonbigdata.com/usage-of-splunk-commands-addtotals/)?

Ciao.

Giuseppe

0 Karma

phularah
Communicator

Hi, @gcusello,

addtotals would add all the field values, which I don't want.

I want the sum of the fields in such a way that it only adds up the fw values, like traffic_infw1+traffic_outfw1, traffic_infw2+traffic_outw2, traffic_infw3+traffic_outfw3 and so on. Now, fw can change and so do their numbers. 

So, if I have 10 fields initially, I should get 5 fields after the summation of required field values. and after that timechart would show 5 graphical lines.

Like in the screenshot shared in the question, I would want sum of field values of 1st and 5th field, 2nd and 6th, 3rd and 7th and 4th and 8th fields.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @phularah ,

if the field names are fixed, you can use eval to sum some selected values.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...