Splunk Search
Highlighted

How to extract and calculate the sum of a field from different searches?

Explorer

Hello,

i have on a dashboard with 5 different searches, where i have a common (calculated) field (let's call it a score field), that i would like to extract and sum all the score field, in order to have a total score and then the average score.

is that possible? and how?

thank you very much for your help

0 Karma
Highlighted

Re: How to extract and calculate the sum of a field from different searches?

SplunkTrust
SplunkTrust

Can you share your dashboard xml?

0 Karma
Highlighted

Re: How to extract and calculate the sum of a field from different searches?

Explorer

Unfortunately i can't. I'll try to anonymize the information.

but you can see it just as 5 differents queries with a common a field.

Thanks for your help

0 Karma
Highlighted

Re: How to extract and calculate the sum of a field from different searches?

SplunkTrust
SplunkTrust

Natively it's not possible to get the values of field from various panels and show in separate panel. Only option would be merge all the searches together as a base search and use panels to populate data using post-process search. See this for more info on Post-Process in dashboards:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Post-process_searches

Highlighted

Re: How to extract and calculate the sum of a field from different searches?

SplunkTrust
SplunkTrust

Bingo! Also, this assumes all your values are integers. If some or all of your values are strings then you can change them to integers doing this

... | convert num(FIELD_NAME)

Highlighted

Re: How to extract and calculate the sum of a field from different searches?

Explorer

ok. thank you very much

0 Karma
Highlighted

Re: How to extract and calculate the sum of a field from different searches?

Explorer

Ok. Thank you so much

0 Karma
Highlighted

Re: How to extract and calculate the sum of a field from different searches?

Splunk Employee
Splunk Employee

@papermalik - Did the comment provided by somesoni provide a solution to your question? If yes, please let me know so that I can convert it to an Answer to close out your question. If no, please leave a comment with more feedback. Thank you.

0 Karma
Highlighted

Re: How to extract and calculate the sum of a field from different searches?

Explorer

yes it did help, but the solution is not satisfying yet. Anyway, thank you very much

0 Karma
Highlighted

Re: How to extract and calculate the sum of a field from different searches?

SplunkTrust
SplunkTrust

Within the scope of a dashboard, you could have each search populate a token $score_1$, $score_2$, etc. and then merge the five tokens into one overall score token - that score token can then be displayed in an HTML panel or whereever you like.

Docs for setting the individual score tokens: http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/EventHandlerReference#done

Working example:

<dashboard>
  <label>score</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | stats count</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <set token="score_1">$result.count$</set>
          </done>
        </search>
      </table>
      <table>
        <search>
          <query>index=_audit | stats count</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <set token="score_2">$result.count$</set>
          </done>
        </search>
      </table>
      <table>
        <search>
          <query>| makeresults | eval score = $score_1$ + $score_2$</query>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post