How to multiply?

rlaul · ‎08-13-2019

Hi,

Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.

The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.

"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P\s(\d))"
|stats count  by Batch_Size
| eval tc = Batch_Size*count
| stats sum(tc) as tc

Any help will be appreciated.

Thanks, Ro,

mayurr98 · ‎08-13-2019

could you pls post the output of first 3 lines?

jpolvino · ‎08-13-2019

When you do a stats command (line 3), the fields visible before it become inaccessible. One way to solve your question:

"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P\s(\d))"
|stats count  AS Volume BY Batch_Size
| eval tc = Batch_Size*Volume

This creates a new field, but you need a field name (Volume) in your stats command for it to work.

How to multiply?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

How to multiply?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...