I have a search string.
index=data sourcetype=jobs QUEUE=myqueue| dedup JOBID | FIELDS CPU_USED, USER group by USER
Each user can run multiple jobs, so I'll have duplicate USER names in the searched event. I'll also have varied CPU for each job the USER ran.
I'd like to be able to do a search that aggregates the CPU_USED by USER. So if user1 runs 2 jobs in the time period, I can get CPU_USED from the first, job, and CPU_USED from the 2nd job, added together into an aggregate (sum) value.
Could anyone assist with this?
You can try this to count the sum of CPU_USED for each USER
index=data sourcetype=jobs QUEUE=myqueue| dedup JOBID | stats sum(CPU_USED) by USER
You can try this to count the sum of CPU_USED for each USER
index=data sourcetype=jobs QUEUE=myqueue| dedup JOBID | stats sum(CPU_USED) by USER
That worked perfectly. Thank you!
I belive you'll want to look here:
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Addcoltotals