Splunk Search

How to extract and calculate the sum of a field from different searches?

papemalik
Explorer

Hello,

i have on a dashboard with 5 different searches, where i have a common (calculated) field (let's call it a score field), that i would like to extract and sum all the score field, in order to have a total score and then the average score.

is that possible? and how?

thank you very much for your help

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Within the scope of a dashboard, you could have each search populate a token $score_1$, $score_2$, etc. and then merge the five tokens into one overall score token - that score token can then be displayed in an HTML panel or whereever you like.

Docs for setting the individual score tokens: http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/EventHandlerReference#done

Working example:

<dashboard>
  <label>score</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | stats count</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <set token="score_1">$result.count$</set>
          </done>
        </search>
      </table>
      <table>
        <search>
          <query>index=_audit | stats count</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <set token="score_2">$result.count$</set>
          </done>
        </search>
      </table>
      <table>
        <search>
          <query>| makeresults | eval score = $score_1$ + $score_2$</query>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...