Splunk Search

How to sum the values of a multivalue field.?

gvnd
Path Finder

Hi my query is:
index=_internal earliest=-60m@m latest=now|transaction method | table root method status bytes | nomv bytes

result for above query is:
alt text

Here, I want to sum of all the values of "bytes" field . i.e single value of bytes field for each method.

Thanks in advance

Tags (1)
0 Karma
1 Solution

niketnilay
Legend

Switch from transaction to stats. Add sourcetype/source to your query if it is applicable. _internal index contains a lot of Splunk's sourcetypes for internal purpose.

index=_internal sourcetype=* earliest=-60m latest=now
| stats values(root) as root values(status) as status sum(bytes) as bytes by method

updated to remove count as you dont seem to require eventcount or duration.

PS: This is not a use case for transaction and stats should perform better in this case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

adonio
Ultra Champion

using eventstats:

 index = _internal | transaction method | table root method status bytes | eventstats sum(bytes) as Total_Bytes_by_Transaction | fields - bytes

alt text

DalJeanis
SplunkTrust
SplunkTrust

You need a unique field for each transaction in order for eventstats to give you a by-transaction sum of the bytes. If you want the total bytes associated with each transaction, then you can do this...

index=_internal earliest=-60m@m latest=now
| transaction method 
| table root method status bytes 
| streamstats count as tranno
| eventstats sum(bytes) as totalbytes by tranno

...then, only if you want to retain the byte details for some reason...

| nomv bytes

... or if not

| field - bytes

tedwroks
Explorer

This works, but I found out that you have to use mvlist=t option in transaction, otherwise, repeated values in the mv field are not accounted for. i.e.,

index=_internal earliest=-60m@m latest=now
 | transaction  mvlist=t method 
 | table root method status bytes 
 | streamstats count as tranno
 | eventstats sum(bytes) as totalbytes by tranno
0 Karma

gvnd
Path Finder

Thanks for amazing explanation..!!

adonio
Ultra Champion

thank you for that!

niketnilay
Legend

Switch from transaction to stats. Add sourcetype/source to your query if it is applicable. _internal index contains a lot of Splunk's sourcetypes for internal purpose.

index=_internal sourcetype=* earliest=-60m latest=now
| stats values(root) as root values(status) as status sum(bytes) as bytes by method

updated to remove count as you dont seem to require eventcount or duration.

PS: This is not a use case for transaction and stats should perform better in this case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>