Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get Sum of two fields from different searches?

Techie
Engager
‎09-15-2023 11:26 AM

Hi -

I would like to join and sum the results and output

The searches:

index=test_index sourcetype="test_source"  className=export | table message.totalExportedProfileCounter

index=test_index sourcetype="test_source"  className=export | table message.exportedRecords

From above both searches I am looking to add message.totalExportedProfileCounter, message.exportedRecords. For a given call only one of the above search shows up.

I am looking for message.totalExportedProfileCounter + message.exportedRecords

 

Thanks in advance!

 

Thanks.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-16-2023 09:09 AM

Is this what you mean?

index=test_index sourcetype="test_source"  className=export
| stats sum(message.totalExportedProfileCounter) as Total_number_of_exported_profiles sum(message.exportedRecords) as Total_number_of_exported_records
| eval total = Total_number_of_exported_profiles + Total_number_of_exported_records

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-16-2023 12:28 AM

Calculations can be done with fields in the same event.

index=test_index sourcetype="test_source"  className=export
| eval total = message.totalExportedProfileCounter + message.exportedRecords

If these fields do not have values in the same event, you need to use something like stats to correlate different events into the same event. For this you need a common field value between events to correlate them by.

0 Karma
Reply
Solved! Jump to solution

Techie
Engager
‎09-16-2023 07:54 AM

@ITWhisperer Thanks for the reply,

I tried below individually for getting sum of all records for each event type

index=test_index sourcetype="test_source"  className=export | stats sum(message.totalExportedProfileCounter) as Total_number_of_exported_profiles 

index=test_index sourcetype="test_source"  className=export | stats sum(message.exportedRecords) as Total_number_of_exported_profiles 

 

Above queries run just fine by themselves but I am more interested to add both these results into one.

Also the common field that you were asking for can be message.type=export_job which is available in both events.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-16-2023 09:09 AM

Is this what you mean?

index=test_index sourcetype="test_source"  className=export
| stats sum(message.totalExportedProfileCounter) as Total_number_of_exported_profiles sum(message.exportedRecords) as Total_number_of_exported_records
| eval total = Total_number_of_exported_profiles + Total_number_of_exported_records
0 Karma
Reply
Solved! Jump to solution

Techie
Engager
‎09-16-2023 09:55 AM

This is not helping.

Total_number_of_exported_profiles or Total_number_of_exported_records is showing up but not sum of them. See below screenshot.

 

Techie_0-1694883207603.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-16-2023 10:47 AM

If

index=test_index sourcetype="test_source"  className=export
| stats sum(message.totalExportedProfileCounter) as Total_number_of_exported_profiles

give you a result, and

index=test_index sourcetype="test_source"  className=export
| stats sum(message.exportedRecords) as Total_number_of_exported_records

also gives you a result, then

index=test_index sourcetype="test_source"  className=export
| stats sum(message.totalExportedProfileCounter) as Total_number_of_exported_profiles sum(message.exportedRecords) as Total_number_of_exported_records

should give you two results which can be added together. Please recheck your searches.

0 Karma
Reply
Solved! Jump to solution

Techie
Engager
‎09-16-2023 03:16 PM

Looks like the final sum is not calculated when one of the results is empty. If both are available then the total is populated correctly. In my case either one of them is present. Any idea how to calculate sum in this case?

| eval total = Total_number_of_exported_profiles + Total_number_of_exported_records

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-17-2023 01:16 AM 
| fillnull value=0 Total_number_of_exported_profiles Total_number_of_exported_records
| eval total = Total_number_of_exported_profiles + Total_number_of_exported_records
0 Karma
Reply
Solved! Jump to solution

Techie
Engager
‎09-18-2023 08:10 AM

This helped. Thanks @ITWhisperer 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...