Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sum the values of a multivalue field.?

gvnd
Path Finder
‎05-19-2017 06:37 AM

Hi my query is:
index=_internal earliest=-60m@m latest=now|transaction method | table root method status bytes | nomv bytes

result for above query is:
alt text

Here, I want to sum of all the values of "bytes" field . i.e single value of bytes field for each method.

Thanks in advance

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-19-2017 07:49 AM

Switch from transaction to stats. Add sourcetype/source to your query if it is applicable. _internal index contains a lot of Splunk's sourcetypes for internal purpose.

index=_internal sourcetype=* earliest=-60m latest=now
| stats values(root) as root values(status) as status sum(bytes) as bytes by method

updated to remove count as you dont seem to require eventcount or duration.

PS: This is not a use case for transaction and stats should perform better in this case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-19-2017 07:56 AM

using eventstats:

 index = _internal | transaction method | table root method status bytes | eventstats sum(bytes) as Total_Bytes_by_Transaction | fields - bytes

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-19-2017 08:20 AM

You need a unique field for each transaction in order for eventstats to give you a by-transaction sum of the bytes. If you want the total bytes associated with each transaction, then you can do this...

index=_internal earliest=-60m@m latest=now
| transaction method 
| table root method status bytes 
| streamstats count as tranno
| eventstats sum(bytes) as totalbytes by tranno

...then, only if you want to retain the byte details for some reason... 

| nomv bytes

... or if not 

| field - bytes
Reply
Solved! Jump to solution

tedwroks
Explorer
‎12-01-2017 10:52 PM

This works, but I found out that you have to use mvlist=t option in transaction, otherwise, repeated values in the mv field are not accounted for. i.e.,

index=_internal earliest=-60m@m latest=now
 | transaction  mvlist=t method 
 | table root method status bytes 
 | streamstats count as tranno
 | eventstats sum(bytes) as totalbytes by tranno
0 Karma
Reply
Solved! Jump to solution

gvnd
Path Finder
‎05-20-2017 06:47 AM

Thanks for amazing explanation..!!

Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-19-2017 08:30 AM

thank you for that!

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-19-2017 07:49 AM

Switch from transaction to stats. Add sourcetype/source to your query if it is applicable. _internal index contains a lot of Splunk's sourcetypes for internal purpose.

index=_internal sourcetype=* earliest=-60m latest=now
| stats values(root) as root values(status) as status sum(bytes) as bytes by method

updated to remove count as you dont seem to require eventcount or duration.

PS: This is not a use case for transaction and stats should perform better in this case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...