Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sum the numbers based on a condition and store it in new field?

amaurya1
Explorer
‎07-08-2019 02:56 PM

Requirement -
account_no can have many session_no and session_no can have many sub_session_no. For each session, I want to find the total number of fails with no success at all and finally I want to sum all these fails.

index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0)
| eval is_failed=if(label=="FAIL", 1, 0)
| stats values(sub_session_no),  sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no
| eval fails_within_session = if(fail > 0 and success = 0, sum(fail), 0)
| stats sum(fails_within_session) as Total_failed

Problem - I get an error in the second last line of the code saying "sum" can't be used with eval. Can someone please help me with this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-08-2019 05:06 PM

Hey Amaurya,

Since the "fail" field is already a sum of the "is_failed" field by account_no and session_no, you should be able to use it directly in place of the "sum(fail)" portion of your eval function to find the failures per session. 

 index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0) 
| eval is_failed=if(label=="FAIL", 1, 0) 
| stats values(sub_session_no), sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no 
| eval fails_within_session = if(fail > 0 AND pass = 0, fail, 0)
| stats sum(fails_within_session) as Total_failed

If I'm misunderstanding the question, please let me know and I will re-work the answer!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-08-2019 05:06 PM

Hey Amaurya,

Since the "fail" field is already a sum of the "is_failed" field by account_no and session_no, you should be able to use it directly in place of the "sum(fail)" portion of your eval function to find the failures per session. 

 index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0) 
| eval is_failed=if(label=="FAIL", 1, 0) 
| stats values(sub_session_no), sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no 
| eval fails_within_session = if(fail > 0 AND pass = 0, fail, 0)
| stats sum(fails_within_session) as Total_failed

If I'm misunderstanding the question, please let me know and I will re-work the answer!

0 Karma
Reply
Solved! Jump to solution

amaurya1
Explorer
‎07-10-2019 09:18 AM

@rbechtold - Thanks a lot.. I think you are right, it's giving me correct answer.

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...