Solved: Re: How to multiply a field count by the field val...

ryan_t_gavin · ‎07-17-2018

We have a field whose values change called received_files. The values could be any integer. I need to take these values and multiply that integer by the count of the value.

This is best explained by an example:

received_files has the following field values: 1, 2, and 3. There are 100 results for "received_files=1", 50 results for "received_files=2", and 10 results for "received_files=3".

Based on this, I want to do this calculation: (1*100)+(2*50)+(3*10)=210. Then I want to put that 210 into a field called "total_files_received". The value of received_files changes all the time and could have 1, 2, and 3 one second, then it could have 350 in there the next.

How do I do this?

somesoni2 · ‎07-17-2018

Try something like this

your current search fetching field received_files
|stats count by received_files
| eval total_files_received=received_files*count
| stats sum(total_files_received) as total_files_received

View solution in original post

rlaul · ‎08-13-2019

Hi,

Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.

The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.

    "\(TOTAL_REC\)::"
    |rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
    |stats count  by Batch_Size
    | eval tc = Batch_Size*count
    | stats sum(tc) as tc

Multiplying "count" by a whole number returns expected result with three columns. When i replace 10 with Batch_Size, it gives only two columns : Batch_Size, count.

Not sure why Batch_Size is not working in the multiplication operation.

"\(TOTAL_REC\)::" 
 |rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))" 
 | convert num(Batch_Size) 
 | stats count BY Batch_Size
 | eval tc = (10 * count)

Splunk Enterprise Version: 7.2.6

Any help will be appreciated. Thanks, Ro

somesoni2 · ‎08-13-2019

Can you post some sample raw data? I'm guessing field Batch_Size is not recognized as number (per your field extraction, you're extracting a space as well in its value) and the multiplication is failing. Give this a try as well

"\(TOTAL_REC\)::"
     |rex field=_raw "(\(TOTAL_REC\)::)\s(?P<Batch_Size>\d)"
     |stats count  by Batch_Size
     | eval tc = Batch_Size*count
     | stats sum(tc) as tc

rlaul · ‎08-23-2019

Thank you somesoni2. That worked. I really appreciate your help. 🙂

somesoni2 · ‎07-17-2018

Try something like this

your current search fetching field received_files
|stats count by received_files
| eval total_files_received=received_files*count
| stats sum(total_files_received) as total_files_received

ryan_t_gavin · ‎07-17-2018

I did NOT know you could just multiply it by "count". I've always used it as you did in stats, or by using count(). Thanks! That did exactly what I wanted.

rlaul · ‎08-13-2019

It did not work for me 😞 . Please see my comment above.

How to multiply a field count by the field value?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes