Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to rewrite query to sum both fields based on another field

sangs8788
Communicator
‎07-11-2017 10:14 PM

Hi All,

Here is a query which returns me DATA size and Index size based on domain.

index=db_connect sourcetype=db_metric |join TABLE_NAME [|inputlookup Domain_Module_List.csv |search (Domain ="Inventory")] |eval DATA_MB =round(DATA_KB/1024,2) |eval INDEX_MB = round(INDEX_SIZE_KB/1024,2) |timechart span=1mon sum(DATA_MB),sum(INDEX_MB) by Domain limit=25

I tried to do a sum of DATA and INDEX by rewriting the above query as 

index=db_connect sourcetype=db_metric |join TABLE_NAME [|inputlookup Domain_Module_List.csv |search (Domain ="Inventory")] |eval DATA_MB =(DATA_KB/1024) |eval INDEX_MB = (INDEX_SIZE_KB/1024) |eval SIZE = round((DATA_MB + INDEX_MB),2) |timechart span=1mon sum(SIZE) by Domain

But this doesn't result correct value when validated. I think i am wrong somewhere in the syntax of summing up query.

How do I sum both DATA and Index together and display the result ?

Thanks
Sangeetha

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-12-2017 04:44 AM

your original query gives you the expected results? would this work for you, then?

index=db_connect sourcetype=db_metric |join TABLE_NAME [|inputlookup Domain_Module_List.csv |search (Domain ="Inventory")] |eval DATA_MB =round(DATA_KB/1024,2) |eval INDEX_MB = round(INDEX_SIZE_KB/1024,2) |timechart span=1mon limit=25 sum(DATA_MB) as datamb,sum(INDEX_MB) as indexmb by Domain|foreach indexmb* datamb* [eval size<<MATCHSTR>>='datamd<<MATCHSTR>>'+'indexmd<<MATCHSTR>>']|fields - datamd* indexmd*

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎07-12-2017 04:44 AM

your original query gives you the expected results? would this work for you, then?

index=db_connect sourcetype=db_metric |join TABLE_NAME [|inputlookup Domain_Module_List.csv |search (Domain ="Inventory")] |eval DATA_MB =round(DATA_KB/1024,2) |eval INDEX_MB = round(INDEX_SIZE_KB/1024,2) |timechart span=1mon limit=25 sum(DATA_MB) as datamb,sum(INDEX_MB) as indexmb by Domain|foreach indexmb* datamb* [eval size<<MATCHSTR>>='datamd<<MATCHSTR>>'+'indexmd<<MATCHSTR>>']|fields - datamd* indexmd*
0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎07-12-2017 09:41 PM

Yes it does work. Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎07-11-2017 10:55 PM

First, unrelated Why are you doing join on inputlookup? That feels rather odd, as opposed to say just using the lookup command (maybe with an eval prior to insert a needed input field? )

Second I suspect that sum may not be the timechart function you want? I would think metric of data sizes would be reported as a gauge metric, so each sampling period would report current total consumption as opposed current consumption each sampling period, in which case performing sum over time increases the value by a factor of your sample period per Table... You may need to be looking at smaller windows and min/max/stddev metrics an then aggregate across this for larger windows. Can you share more info on what your source data means and c

Reply
Solved! Jump to solution

sangs8788
Communicator
‎07-11-2017 11:25 PM

My lookup files contains the tables which belong to domain - this is not captured anywhere in the logs. So I am fetching the domain from the lookup and file the datasize of table from the logs. The splunk indexed log will contain table level data size and index size

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...