Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sum correctly?

tonahoyos
Explorer
‎10-23-2017 01:40 PM

Hello All,

I am having an issue using the stats sum command. This is currently my search:

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" ObjectAccount="411010" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0)
| stats sum(Sales) as Sales , sum(Costs) as Costs

I checked if the values were correctly summed on excel, and it turns out that the sums are off. What can it be? I tried to erase and upload the data again, I tried to reformat the values, etc. Is this the wrong command to use?

There are positive and negative values on the Domestic Amount field, I am not sure if it is taking all of the negative values.

Best

0 Karma
Reply

DalJeanis
Legend
‎10-25-2017 02:46 PM

First do this and see if the results look reasonable...

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" 
| stats sum(DomesticAmount) as TotalAmount by ObjectAccount
| appendpipe [ | eval ObjectAccount = substr(ObjectAccount ,1,1)." Total" | stats sum(TotalAmount) as TotalAmount  by ObjectAccount ]
0 Karma
Reply

tonahoyos
Explorer
‎10-27-2017 08:25 AM

The results are exactly the same as before. It seems as if some values are being ignored. Thank you for your help!

0 Karma
Reply

niketn
Legend
‎10-25-2017 02:16 PM

@tonahoyos, by testing in Excel, do you mean you ran query in Splunk without the final stats pipe and exported the result as CSV using Export button in Splunk Search UI. And then calculate the sum by opening CSV in Excel?

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" ObjectAccount="411010" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

tonahoyos
Explorer
‎10-27-2017 08:27 AM

I double checked my answers with the original excel dataset that I uploaded in Splunk. It seems as if it was not reading some values.

0 Karma
Reply

elliotproebstel
Champion
‎10-23-2017 02:06 PM

Have you checked to make sure the values populating the Sales and Costs fields match what you expect? Maybe try this to be sure:

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" ObjectAccount="411010" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0)
| stats list(Sales) as Sales , list(Costs) as Costs BY ObjectAccount

If that's not the issue, are the values you are summing particularly large? Negative values alone should not cause this problem.

0 Karma
Reply

tonahoyos
Explorer
‎10-25-2017 01:55 PM

Hello eliotproebstel,

When I do the command values(DomesticAmount), it gives me all the values that need to be added. But once I run the command sum(DomesticAmount), it gives me a completely different answer than what I know should be. On one of the occasions, a warning showed up stating that some values may have been truncated or ignored. The sum is of of 8 digits, but the values are not larger than 5 digits. Would this be an issue?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...