Splunk Search

If I have one field with 3 distinct values, how to sum 2 of the values as a unique value and the 3rd value on its own?

iurafamss
Engager

Hi guys,

I have the following situation.

One field that can have three distinct values and I need sum two values as a unique value and the other must have the its own value. Sample:

Field: Teste
Values: F, J, Y

Would be: Value1= sum(F+J) and Value2= sum(Y)

Any idea how I can do this ?

Regards

Tags (3)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Maybe something like this:

<your_base_search> | stats sum(eval(F+J)) as Value1 sum(Y) as Value2
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

On second thought, that won't work. Also - when you have F,J, Y as distinct values is it:

Teste = "F,J,Y" 

OR

Teste = F
Teste = J
Teste = Y
0 Karma

jayannah
Builder

Here you go... i tried the below command, the field newval will be 25

|  eval Teste="10,15,60" | makemv delim="," Teste | eval val1=mvindex(Teste,0) | eval val2=mvindex(Teste,1) | eval newval=val1+val2

you can make changes as per your index..

Note: to get the last value (60 in the above example) you can use mvindex(Teste, -1)

let me know if you need any help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...