Splunk Search

How to include multiple fields of the same type?

trevor7
Engager

I would like to add all instances of a field within the same variable, named SynchronousExecution. Is there a better way to include all fields of the same type?

 

 

| eval QPACAWTE_0001 = if(isNull(QPACAWTE_0001), 0, QPACAWTE_0001)             
| eval QPACAWTE_0002 = if(isNull(QPACAWTE_0002), 0, QPACAWTE_0002)             
| eval QPACAWTE_0003 = if(isNull(QPACAWTE_0003), 0, QPACAWTE_0003)             
| eval QPACAWTE_0004 = if(isNull(QPACAWTE_0004), 0, QPACAWTE_0004)             
| eval QPACAWTE_0005 = if(isNull(QPACAWTE_0005), 0, QPACAWTE_0005)                
| eval SynchronousExecution = QPACAWTE_0001 + QPACAWTE_0002 + QPACAWTE_0003 + QPACAWTE_0004 + QPACAWTE_0005

 

 

 

Thanks

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Assuming these are all numerics, you could do this

| eval SynchronousExecution = 0
| foreach QPACAWTE_*
  [| eval SynchronousExecution = SynchronousExecution + if(isnull(<<FIELD>>), 0, <<FIELD>>)]

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming these are all numerics, you could do this

| eval SynchronousExecution = 0
| foreach QPACAWTE_*
  [| eval SynchronousExecution = SynchronousExecution + if(isnull(<<FIELD>>), 0, <<FIELD>>)]
0 Karma

trevor7
Engager

Thanks for your answer! This helps quite a bit.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...