Splunk Search
Highlighted

How to sum up numeric value for a matching string pattern?

New Member

Hi,

I have following pattern in my logs and i have need to sum up the numeric values. I want to sum up how many products persisted by evaluating following log statment?

2020-03-25 02:48:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 50

What would be the right way to sum up persisted product? In above example 50 products got persisted. So considering following logs, my requirement is to get sum of 150 product persisted.

2020-03-25 02:18:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 50
2020-03-25 02:28:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 40
2020-03-25 02:38:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 60

Do need to add any field with eval expression? if yes how to achieve it?

regards,
Pawan Modi

0 Karma
Highlighted

Re: How to sum up numeric value for a matching string pattern?

SplunkTrust
SplunkTrust

Assuming you have the persisted value extracted as 'persisted' then you can get the sum using | stats sum(persisted) as TotalPersisted.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to sum up numeric value for a matching string pattern?

New Member

Hi Rich,

I have extracted but not sure if that work because it has string literals as well as numeric values. How to read numeric value from extracted field? Sorry i am very new to this techonlogy.

regards,
Pawan Modi

0 Karma

Re: How to sum up numeric value for a matching string pattern?

SplunkTrust
SplunkTrust

In your example logs, the persisted field is only numeric so a proper extraction should not have non-numeric values. You may need to further process the field to eliminate non-numeric values.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to sum up numeric value for a matching string pattern?

Esteemed Legend

First create an field extraction for this sourcetype so that persisted is always available for every search. Then just do this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"
| stats sum(persisted) AS Total_Persisted BY host and/or other fields here

The field extraction might be something like this:

REGEX = Total number of manual products persisted\s*-\s*(?<persisted>\d+)
0 Karma
Highlighted

Re: How to sum up numeric value for a matching string pattern?

New Member

thanks woodcock!! I will give a try.

0 Karma