Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sum the values of a multivalue field.?

gvnd
Path Finder
‎05-19-2017 06:37 AM

Hi my query is:
index=_internal earliest=-60m@m latest=now|transaction method | table root method status bytes | nomv bytes

result for above query is:
alt text

Here, I want to sum of all the values of "bytes" field . i.e single value of bytes field for each method.

Thanks in advance

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-19-2017 07:49 AM

Switch from transaction to stats. Add sourcetype/source to your query if it is applicable. _internal index contains a lot of Splunk's sourcetypes for internal purpose.

index=_internal sourcetype=* earliest=-60m latest=now
| stats values(root) as root values(status) as status sum(bytes) as bytes by method

updated to remove count as you dont seem to require eventcount or duration.

PS: This is not a use case for transaction and stats should perform better in this case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-19-2017 07:56 AM

using eventstats:

 index = _internal | transaction method | table root method status bytes | eventstats sum(bytes) as Total_Bytes_by_Transaction | fields - bytes

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-19-2017 08:20 AM

You need a unique field for each transaction in order for eventstats to give you a by-transaction sum of the bytes. If you want the total bytes associated with each transaction, then you can do this...

index=_internal earliest=-60m@m latest=now
| transaction method 
| table root method status bytes 
| streamstats count as tranno
| eventstats sum(bytes) as totalbytes by tranno

...then, only if you want to retain the byte details for some reason... 

| nomv bytes

... or if not 

| field - bytes
Reply
Solved! Jump to solution

tedwroks
Explorer
‎12-01-2017 10:52 PM

This works, but I found out that you have to use mvlist=t option in transaction, otherwise, repeated values in the mv field are not accounted for. i.e.,

index=_internal earliest=-60m@m latest=now
 | transaction  mvlist=t method 
 | table root method status bytes 
 | streamstats count as tranno
 | eventstats sum(bytes) as totalbytes by tranno
0 Karma
Reply
Solved! Jump to solution

gvnd
Path Finder
‎05-20-2017 06:47 AM

Thanks for amazing explanation..!!

Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-19-2017 08:30 AM

thank you for that!

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-19-2017 07:49 AM

Switch from transaction to stats. Add sourcetype/source to your query if it is applicable. _internal index contains a lot of Splunk's sourcetypes for internal purpose.

index=_internal sourcetype=* earliest=-60m latest=now
| stats values(root) as root values(status) as status sum(bytes) as bytes by method

updated to remove count as you dont seem to require eventcount or duration.

PS: This is not a use case for transaction and stats should perform better in this case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...