Solved: How to sum two fields ?

aymericbrun · ‎05-18-2011

Hello,

How can i sum fields to have the total in a new field ?
For example, i have a field called (BytesReceivedPerSec) and i would have the sum of this field for all the event (in realtime)

I tried accum BytesReceivedPersec AS bytesrcvdtotal but i doesn't do a total sum of all the bytes received.

Have you an idea ?

Thanks

Ant1D · ‎05-18-2011

Try the following search:

index=Your_Index | stats sum(BytesReceivedPerSec) AS bytes_total

View solution in original post

aymericbrun · ‎05-18-2011

Thank you very much 🙂

It works perfectly

my search exactly :

host=hp-dev index="main"| stats sum(BytesReceivedPersec) AS octets_recus sum(BytesSentPersec) AS octets_envoyes | eval octets_recus_Mo=octets_recus / 1000000 | eval octets_envoyes_Mo=octets_envoyes / 1000000

Ant1D · ‎05-18-2011

Glad to help 🙂

Ant1D · ‎05-18-2011

Try the following search:

index=Your_Index | stats sum(BytesReceivedPerSec) AS bytes_total

How to sum two fields ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation