Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to sum same field twice

TylerJVitale
Explorer
โ€Ž06-24-2019 11:57 AM

I want to be able to sum the same field in order to create 2 different fields so that I can compare the Volume by application to the total volume. Right now this is the structure of my search:

| stats sum(VOLUME) as VOLUME, count(USERNAME_O) as AFFECTED_USERS by APPLICATION | 
join [ search |  stats sum(VOLUME) as TOTAL_VOLUME | where TOTAL_VOLUME > 1 |  head 1 ]

Is there a more efficient way I can do this so that I don't have to use the "join" part and go through the whole index twice?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnudell_2
Builder
โ€Ž06-24-2019 12:05 PM

Hi @TylerJVitale ,

This sounds like a good place to use eventstats.

| stats sum(VOLUME) as VOLUME, count(USERNAME_O) as AFFECTED_USERS by APPLICATION
| eventstats sum(VOLUME) as TOTAL_VOLUME

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jnudell_2
Builder
โ€Ž06-24-2019 12:05 PM

Hi @TylerJVitale ,

This sounds like a good place to use eventstats.

| stats sum(VOLUME) as VOLUME, count(USERNAME_O) as AFFECTED_USERS by APPLICATION
| eventstats sum(VOLUME) as TOTAL_VOLUME

View solution in original post

0 Karma
Reply