How to show stats sum for a field using a value pr...

franksteinar · ‎02-10-2016

Hi,

I have one field with values for each month, and this eval gives me the current month name(current February);

eval mnd=strftime(_time, "%B")

Field1 is named January, Field2 February...

But when I try to sum this field with stats, I get no results;

stats sum(mnd)

I want this search to automatically show the current month's sum, and not using a static value in the stats sum expression.

sunnyparmar · ‎02-11-2016

| stats count by mnd

or

| stats count by sum(mnd)

DalJeanis · ‎01-05-2017

The first one is right. The second doesn't seem to make any sense.

I think you may have meant (for the second one)

| stats sum(SomeField) as "Total of SomeField" by mnd

somesoni2 · ‎02-10-2016

Are you looking for a sum of some field and you want column (with sum) for each month?? If that's the case try something like this

your base search | eval mnd=strftime(_time, "%B")  | eval temp=1 | chart sum(WhateverFieldYouWantToSum) over temp by mnd | fields - temp

franksteinar · ‎02-11-2016

Hi,

the challenge here is that "WhateverFieldYouWantToSum" is a static reference to a field, I need a dynamic reference to a field.
From my last post:
What I want to accomplish, is to present a dashboard showing the sum of values from the month we are currently in. For now, that is February, and even though I easily can display February with a static expression;
stats sum(February)

that means I need to maintain this manually every month to match the month we are currently in. How can I make this flexible, so that the stats sum choose the current month. Each month is represented with its own field(or column).

somesoni2 · ‎02-11-2016

Here the month name (which will appear as a column name) is dynamic only. Not sure if you tried this at all..

Could you provide the current search where you've to provide the Month name using static expression??

javiergn · ‎02-10-2016

Hi, sorry I'm a bit confused by your question.
%B is creating a string therefore you can't sum it in Splunk.

If you want to sum months using integers simply use %m instead.

Stats won't care about whether your field comes from an eval or not. A field is a field.

Please let me know if that's not what you are looking for.

franksteinar · ‎02-11-2016

Hi,

sorry, I will try to be more presise. What I want to accomplish, is to present a dashboard showing the sum of values from the month we are currently in. For now, that is February, and even though I easily can display February with a static expression;
stats sum(February)

that means I need to maintain this manually every month to match the month we are currently in. How can I make this flexible, so that the stats sum choose the current month. Each month is represented with its own field(or column).

Hope this makes more sense:)

PS! Using %m did not make any difference, even though I adjusted the fields/columns to 01, 02, 03...

javiergn · ‎02-12-2016

If you want to display the current monthly dynamically simply use the following:

| eval current_month = strftime(now(), "%B")

Then restrict your search to only return events for the month we are currently in:

index=foo sourcetype=bar earliest=@mon

Hope that makes sense.

How to show stats sum for a field using a value produced from an eval statement?

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices

Streamline Data Ingestion With Deployment Server Essentials