Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sum of field b after making multivalue fields and sort by date

chaday00
Path Finder
‎05-28-2021 08:59 AM

I have created several 'rex' expressions that parse data into their own fields and the created multivalue fields combining these into a common field. I'd like to know if it is possible to query this mutlivalue field and get the sum of a different field. 

vuln_summarythreat_valuedate
Microsoft finding a29005/28/2021
Microsoft finding a1005/28/2021
Skype finding a5005/28/2021
Windows finding a30005/28/2021
Windows finding b25005/28/2021
Linux finding a10005/28/2021
Linux finding b5005/28/2021

I've created the following rex fields that work to lumb these findings together:

 

| rex field=vuln_summary "(?<ms>^.*?(Microsoft).*?$)" 
| rex field=vuln_summary "(?<skype>^.*?(Skype).*?$)" 
| rex field=vuln_summary "(?<windows>^.*?(Windows).*?$)"
| rex field=vuln_summary "(?<linux_os>^.*?(Linux)|(linux).*?$)"

 

 Then a multivalue field that combines them into one field called 'microsoft' and similar for Linux:

 

| eval microsoft=mvappend(ms, windows, skype, rpc)
| eval linux=mvappend(linux_os, grub, bind, gnome, libpng, curl)

 

I'd like to get the sum of the 'threat_value' for the multivalue fields and other fields for a stacked bar chart by Date.  Something like below, I think: 

Datesum of TRS for microsoftsum of TRS for linuxsum of TRS for field 'x'
05/28/202190001500nnn
    
    
Labels (5)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2021 10:39 AM

Perhaps this will help.  I've simplified the regular expressions, too.

...
| rex field=vuln_summary "(?<OS>Microsoft|Skype|Windows|Linux)"
| eval OS=case(OS="Microsoft" OR OS="Windows" OR OS="Skype", "Microsoft", 1==1, "Linux")
| eval _time=strptime(Date, "%m/%d/%Y")
| timechart span=1d sum(threat_value) as "Sum of TRS" by OS
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2021 10:39 AM

Perhaps this will help.  I've simplified the regular expressions, too.

...
| rex field=vuln_summary "(?<OS>Microsoft|Skype|Windows|Linux)"
| eval OS=case(OS="Microsoft" OR OS="Windows" OR OS="Skype", "Microsoft", 1==1, "Linux")
| eval _time=strptime(Date, "%m/%d/%Y")
| timechart span=1d sum(threat_value) as "Sum of TRS" by OS
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...