Re: How to sum correctly?

tonahoyos · ‎10-23-2017

Hello All,

I am having an issue using the stats sum command. This is currently my search:

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" ObjectAccount="411010" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0)
| stats sum(Sales) as Sales , sum(Costs) as Costs

I checked if the values were correctly summed on excel, and it turns out that the sums are off. What can it be? I tried to erase and upload the data again, I tried to reformat the values, etc. Is this the wrong command to use?

There are positive and negative values on the Domestic Amount field, I am not sure if it is taking all of the negative values.

Best

DalJeanis · ‎10-25-2017

First do this and see if the results look reasonable...

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" 
| stats sum(DomesticAmount) as TotalAmount by ObjectAccount
| appendpipe [ | eval ObjectAccount = substr(ObjectAccount ,1,1)." Total" | stats sum(TotalAmount) as TotalAmount  by ObjectAccount ]

tonahoyos · ‎10-27-2017

The results are exactly the same as before. It seems as if some values are being ignored. Thank you for your help!

niketn · ‎10-25-2017

@tonahoyos, by testing in Excel, do you mean you ran query in Splunk without the final stats pipe and exported the result as CSV using Export button in Splunk Search UI. And then calculate the sum by opening CSV in Excel?

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" ObjectAccount="411010" OR ObjectAccount="5*"
| eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tonahoyos · ‎10-27-2017

I double checked my answers with the original excel dataset that I uploaded in Splunk. It seems as if it was not reading some values.

elliotproebstel · ‎10-23-2017

Have you checked to make sure the values populating the Sales and Costs fields match what you expect? Maybe try this to be sure:

source="Jan_Sept_FinanceSample.csv" host="Jan_September" index="finance_sample" sourcetype="csv" ObjectAccount="411010" OR ObjectAccount="5*" | eval Sales=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0) | stats list(Sales) as Sales , list(Costs) as Costs BY ObjectAccount

If that's not the issue, are the values you are summing particularly large? Negative values alone should not cause this problem.

tonahoyos · ‎10-25-2017

Hello eliotproebstel,

When I do the command values(DomesticAmount), it gives me all the values that need to be added. But once I run the command sum(DomesticAmount), it gives me a completely different answer than what I know should be. On one of the occasions, a warning showed up stating that some values may have been truncated or ignored. The sum is of of 8 digits, but the values are not larger than 5 digits. Would this be an issue?

How to sum correctly?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation