Solved: How to add values of multiple variable, where the ...

harish_ka · ‎11-18-2014

i have a field in my log as "BookCount 10 /BookCount"
if a Library pass contains more than one members then the field repeats based on the number of members.
For Ex: If a Library pass has 1 members, then my log returns 1 bookcount values as "BookCount 10 /BookCount"
If a Library pass has 3 members, then my log returns three bookcount values as below,
"BookCount 10 /BookCount" "BookCount 50 /BookCount" "BookCount 40 /BookCount"
I want to get the sum of bookcount.
I am using rex "(openTag)BookCount(?CountOfBook.*)(closeTag)BookCount"|stats list(CountOfBook) as "TotalCount".
I am getting only the first value.

Can anyone suggest me a better query to implement this????

lguinn2 · ‎11-18-2014

If the data is formatted as XML, you could try the xmlkv command:

yoursearchhere
| xmlkv

rex is only going to give you the first value, because your regular expression only finds the first value.
You could try this

yoursearchhere
| rex max_match=0 "\<BookCount\>\s*(?<CountOfBook>\d+)\s*\<\/BookCount\>"
| mvexpand CountOfBook
| stats sum(CountofBook) as TotalBooks

This should extract multiple values of BookCount; you will end up with a multi-valued field.

View solution in original post

lguinn2 · ‎11-18-2014

If the data is formatted as XML, you could try the xmlkv command:

yoursearchhere
| xmlkv

rex is only going to give you the first value, because your regular expression only finds the first value.
You could try this

yoursearchhere
| rex max_match=0 "\<BookCount\>\s*(?<CountOfBook>\d+)\s*\<\/BookCount\>"
| mvexpand CountOfBook
| stats sum(CountofBook) as TotalBooks

This should extract multiple values of BookCount; you will end up with a multi-valued field.

harish_ka · ‎11-18-2014

So how to add this values?
i need the total value of BookCount

harish_ka · ‎11-19-2014

Thanks Lguinn.
But this regex didnt work for me.
Can you explain how can i use xmlkv for getting this total of CountOfBook

lguinn2 · ‎11-19-2014

xmlkv won't create the total, but it should extract the fields.

I edited the regular expression above - maybe it will work now.

I also added the command to sum the values in a multi-valued field.

harish_ka · ‎12-03-2014

How can i get the sum of bookcount if the BookCount tags are not appeared one after another in my log??
LIke below

"BookCount 10 /BookCount" "BookName ABC /BookName" ......."BookCount 50 /BookCount" "BookName XYZ /BookName"......"BookCount 40 /BookCount"

harish_ka · ‎11-19-2014

It worked...
Thank You so much...
:)

lguinn2 · ‎11-18-2014

I assume that the format is actually XML, like this:

<BookCount>10</BookCount>

or

<BookCount>10</BookCount><BookCount>50</BookCount><BookCount>40</BookCount>

with no quotation marks?

harish_ka · ‎11-18-2014

"BookCount 10 /BookCount" is a tag. I was not able to use <> in this text box.
openTag(BookCount)-value-CloseTag(BookCount)

harish_ka · ‎11-18-2014

Can anyone help me on this????

How to add values of multiple variable, where the number of variable differs in different events

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to add values of multiple variable, where the number of variable differs in different events

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem