Splunk Search

How to multiply a field count by the field value? New Member

We have a field whose values change called received_files. The values could be any integer. I need to take these values and multiply that integer by the count of the value.

This is best explained by an example:

received_files has the following field values: 1, 2, and 3. There are 100 results for "received_files=1", 50 results for "received_files=2", and 10 results for "received_files=3".

Based on this, I want to do this calculation: (1*100)+(2*50)+(3*10)=210. Then I want to put that 210 into a field called "total_files_received". The value of received_files changes all the time and could have 1, 2, and 3 one second, then it could have 350 in there the next.

How do I do this?

Tags (3)
1 Solution Revered Legend

Try something like this Engager

Hi,

Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.

The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.

"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
|stats count  by Batch_Size
| eval tc = Batch_Size*count
| stats sum(tc) as tc

Multiplying "count" by a whole number returns expected result with three columns. When i replace 10 with Batch_Size, it gives only two columns : Batch_Size, count.

Not sure why Batch_Size is not working in the multiplication operation.

"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
| convert num(Batch_Size)
| stats count BY Batch_Size
| eval tc = (10 * count)

Splunk Enterprise Version: 7.2.6

Any help will be appreciated. Thanks, Ro Revered Legend

Can you post some sample raw data? I'm guessing field Batch_Size is not recognized as number (per your field extraction, you're extracting a space as well in its value) and the multiplication is failing. Give this a try as well

"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)\s(?P<Batch_Size>\d)"
|stats count  by Batch_Size
| eval tc = Batch_Size*count
| stats sum(tc) as tc Engager

Thank you somesoni2. That worked. I really appreciate your help. 🙂 Revered Legend

Try something like this New Member

I did NOT know you could just multiply it by "count". I've always used it as you did in stats, or by using count(). Thanks! That did exactly what I wanted. Engager

It did not work for me 😞 . Please see my comment above. Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Get Updates on the Splunk Community!