Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sum the numbers based on a condition and store it in new field?

amaurya1
Explorer
‎07-08-2019 02:56 PM

Requirement -
account_no can have many session_no and session_no can have many sub_session_no. For each session, I want to find the total number of fails with no success at all and finally I want to sum all these fails.

index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0)
| eval is_failed=if(label=="FAIL", 1, 0)
| stats values(sub_session_no),  sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no
| eval fails_within_session = if(fail > 0 and success = 0, sum(fail), 0)
| stats sum(fails_within_session) as Total_failed

Problem - I get an error in the second last line of the code saying "sum" can't be used with eval. Can someone please help me with this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-08-2019 05:06 PM

Hey Amaurya,

Since the "fail" field is already a sum of the "is_failed" field by account_no and session_no, you should be able to use it directly in place of the "sum(fail)" portion of your eval function to find the failures per session. 

 index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0) 
| eval is_failed=if(label=="FAIL", 1, 0) 
| stats values(sub_session_no), sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no 
| eval fails_within_session = if(fail > 0 AND pass = 0, fail, 0)
| stats sum(fails_within_session) as Total_failed

If I'm misunderstanding the question, please let me know and I will re-work the answer!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-08-2019 05:06 PM

Hey Amaurya,

Since the "fail" field is already a sum of the "is_failed" field by account_no and session_no, you should be able to use it directly in place of the "sum(fail)" portion of your eval function to find the failures per session. 

 index=abc sourcetype=xyz 
| eval is_passed=if(label=="PASS", 1, 0) 
| eval is_failed=if(label=="FAIL", 1, 0) 
| stats values(sub_session_no), sum(is_passed) as pass, sum(is_failed) as fail by account_no session_no 
| eval fails_within_session = if(fail > 0 AND pass = 0, fail, 0)
| stats sum(fails_within_session) as Total_failed

If I'm misunderstanding the question, please let me know and I will re-work the answer!

0 Karma
Reply
Solved! Jump to solution

amaurya1
Explorer
‎07-10-2019 09:18 AM

@rbechtold - Thanks a lot.. I think you are right, it's giving me correct answer.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...