Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sum the numbers based on a condition and store it in new field?

amaurya1
Explorer
‎07-08-2019 02:56 PM

Requirement -
account_no can have many session_no and session_no can have many sub_session_no. For each session, I want to find the total number of fails with no success at all and finally I want to sum all these fails.

index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0)
| eval is_failed=if(label=="FAIL", 1, 0)
| stats values(sub_session_no),  sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no
| eval fails_within_session = if(fail > 0 and success = 0, sum(fail), 0)
| stats sum(fails_within_session) as Total_failed

Problem - I get an error in the second last line of the code saying "sum" can't be used with eval. Can someone please help me with this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-08-2019 05:06 PM

Hey Amaurya,

Since the "fail" field is already a sum of the "is_failed" field by account_no and session_no, you should be able to use it directly in place of the "sum(fail)" portion of your eval function to find the failures per session. 

 index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0) 
| eval is_failed=if(label=="FAIL", 1, 0) 
| stats values(sub_session_no), sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no 
| eval fails_within_session = if(fail > 0 AND pass = 0, fail, 0)
| stats sum(fails_within_session) as Total_failed

If I'm misunderstanding the question, please let me know and I will re-work the answer!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-08-2019 05:06 PM

Hey Amaurya,

Since the "fail" field is already a sum of the "is_failed" field by account_no and session_no, you should be able to use it directly in place of the "sum(fail)" portion of your eval function to find the failures per session. 

 index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0) 
| eval is_failed=if(label=="FAIL", 1, 0) 
| stats values(sub_session_no), sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no 
| eval fails_within_session = if(fail > 0 AND pass = 0, fail, 0)
| stats sum(fails_within_session) as Total_failed

If I'm misunderstanding the question, please let me know and I will re-work the answer!

0 Karma
Reply
Solved! Jump to solution

amaurya1
Explorer
‎07-10-2019 09:18 AM

@rbechtold - Thanks a lot.. I think you are right, it's giving me correct answer.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top