Solved: Re: How to summarize these search results?

ctsurumaki · ‎04-18-2023

Hello fellow splunkers!

I'm getting these results from my splunk search but struggling to find a way to summarize the last numbers from the results. In the example below (31 + 3 + 98 + 7 + 35) and get a total count of 174 which I could display as a new field?

Just started using splunk and will take some training but thought one of the experts out there might have be able to help.

Best regards and thanks!

index="logs" sourcetype="_json"

| extract pairdelim="{,}" kvdelim=":" |fields message,robotName,timeStamp,Level,processName| search message="G3*Total Claims count is - *" processName="GroupClaimsDispatcher_GroupClaimsDispatcher" robotName="Unattended_Robot73"| table timeStamp,Level,processName,robotName,message| dedup message | sort -timeStamp

2023-04-17T16:45:41.1960125Z	Info	GroupClaimsDispatcher_GroupClaimsDispatcher	Unattended_Robot73	G3 --- Total Claims count is - 31
2023-04-17T16:44:16.8150041Z	Info	GroupClaimsDispatcher_GroupClaimsDispatcher	Unattended_Robot73	G3 --- Total Claims count is - 3
2023-04-17T10:00:44.2792246Z	Info	GroupClaimsDispatcher_GroupClaimsDispatcher	Unattended_Robot73	G3 --- Total Claims count is - 98
2023-04-17T10:00:21.3532608Z	Info	GroupClaimsDispatcher_GroupClaimsDispatcher	Unattended_Robot73	G3 --- Total Claims count is - 7
2023-04-17T09:59:20.2110636Z	Info	GroupClaimsDispatcher_GroupClaimsDispatcher	Unattended_Robot73	G3 --- Total Claims count is - 35

woodcock · ‎04-20-2023

|makeresults
| eval _raw="
timeStamp Level processName robotName message
2023-04-17T16:45:41.1960125Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 31
2023-04-17T16:44:16.8150041Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 3
2023-04-17T10:00:44.2792246Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 98
2023-04-17T10:00:21.3532608Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 7
2023-04-17T09:59:20.2110636Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 35"
| multikv forceheader=1
| table timeStamp Level processName robotName message
| rex field=message "--- Total Claims count is - (?<claimsCount>\d+)"
| eventstats sum(claimsCount) AS claimsCountTotal

View solution in original post

woodcock · ‎04-20-2023

|makeresults
| eval _raw="
timeStamp Level processName robotName message
2023-04-17T16:45:41.1960125Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 31
2023-04-17T16:44:16.8150041Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 3
2023-04-17T10:00:44.2792246Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 98
2023-04-17T10:00:21.3532608Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 7
2023-04-17T09:59:20.2110636Z Info GroupClaimsDispatcher_GroupClaimsDispatcher Unattended_Robot73 G3 --- Total Claims count is - 35"
| multikv forceheader=1
| table timeStamp Level processName robotName message
| rex field=message "--- Total Claims count is - (?<claimsCount>\d+)"
| eventstats sum(claimsCount) AS claimsCountTotal

ctsurumaki · ‎04-21-2023

Thanks! This worked perfectly 🙂

ctsurumaki · ‎04-20-2023

Thanks ITWhisperer - will give it a try 🙂 Much appreciated!

ITWhisperer · ‎04-18-2023

| rex field=message "Total Claims count is - (?<claims>\d+)"
| eventstats sum(claims) as total

How to summarize these search results?

eval

field extraction

regex

rex

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience