Splunk Search

## How to multiply a field count by the field value?

New Member

We have a field whose values change called received_files. The values could be any integer. I need to take these values and multiply that integer by the count of the value.

This is best explained by an example:

``````received_files has the following field values: 1, 2, and 3. There are 100 results for "received_files=1", 50 results for "received_files=2", and 10 results for "received_files=3".
``````

Based on this, I want to do this calculation: (1*100)+(2*50)+(3*10)=210. Then I want to put that 210 into a field called "total_files_received". The value of received_files changes all the time and could have 1, 2, and 3 one second, then it could have 350 in there the next.

How do I do this?

Tags (3)
1 Solution
Revered Legend

Try something like this

``````your current search fetching field received_files
|stats count by received_files
| eval total_files_received=received_files*count
| stats sum(total_files_received) as total_files_received
``````
Engager

Hi,

Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.

The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.

``````    "\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
|stats count  by Batch_Size
| eval tc = Batch_Size*count
| stats sum(tc) as tc
``````

Multiplying "count" by a whole number returns expected result with three columns. When i replace 10 with Batch_Size, it gives only two columns : Batch_Size, count.

Not sure why Batch_Size is not working in the multiplication operation.

``````"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
| convert num(Batch_Size)
| stats count BY Batch_Size
| eval tc = (10 * count)
``````

Splunk Enterprise Version: 7.2.6

Any help will be appreciated. Thanks, Ro

Revered Legend

Can you post some sample raw data? I'm guessing field Batch_Size is not recognized as number (per your field extraction, you're extracting a space as well in its value) and the multiplication is failing. Give this a try as well

``````"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)\s(?P<Batch_Size>\d)"
|stats count  by Batch_Size
| eval tc = Batch_Size*count
| stats sum(tc) as tc
``````
Engager

Thank you somesoni2. That worked. I really appreciate your help. 🙂

Revered Legend

Try something like this

``````your current search fetching field received_files
|stats count by received_files
| eval total_files_received=received_files*count
| stats sum(total_files_received) as total_files_received
``````
New Member

I did NOT know you could just multiply it by "count". I've always used it as you did in stats, or by using count(). Thanks! That did exactly what I wanted.

Engager

It did not work for me 😞 . Please see my comment above.

Did you miss .conf21 Virtual?

### Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Get Updates on the Splunk Community!