Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Sum values from a table

matansocher
Contributor
‎08-31-2017 01:31 AM

Hi,

I have created a table in splunk and 1 of the fields is numeric('sloc').
I would like to sum the values for each 'core'
alt text
I was trying to write something like:

index=testeda_p groupID=sloc_data 
| table core sloc_date sloc
| stats sum(sloc) as sumForCore by core

But there are no results in the new field I created (sumForCore)
My result:
alt text

I have also tried:

| stats sum(tonumber(sloc)) as sumForCore by core

and nothing
what am I doing wrong?

Thanks

Preview file
28 KB
Preview file
6 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-31-2017 04:08 AM

How are you getting yout sloc? Is it possible there are whitespaces (before and/or after)?

 index=testeda_p groupID=sloc_data
 | eval sloc=trim(sloc) 
 | stats sum(sloc) as sumForCore by core

Or extract only digits through rex (if you have decimal values your rex will change). Following rex is based on your sample data.

 index=testeda_p groupID=sloc_data
 | rex field=sloc "(?<sloc>\d+)"
 | stats sum(sloc) as sumForCore by core

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

matansocher
Contributor
‎08-31-2017 05:33 AM

cmerriman, it didnt work for me. I think the problem was with the format of the numbers.
the trim function solve my problem.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎08-31-2017 04:40 AM

do you ever have any null values is sloc?

try 

 index=testeda_p groupID=sloc_data 
 | table core sloc_date sloc
 |fillnull sloc value=0
 | stats sum(sloc) as sumForCore by core

if that doesn't work, add |eval sloc=tonumber(sloc) before the fillnull command.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-31-2017 04:08 AM

How are you getting yout sloc? Is it possible there are whitespaces (before and/or after)?

 index=testeda_p groupID=sloc_data
 | eval sloc=trim(sloc) 
 | stats sum(sloc) as sumForCore by core

Or extract only digits through rex (if you have decimal values your rex will change). Following rex is based on your sample data.

 index=testeda_p groupID=sloc_data
 | rex field=sloc "(?<sloc>\d+)"
 | stats sum(sloc) as sumForCore by core

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

matansocher
Contributor
‎08-31-2017 04:38 AM

Thank you!
The trim function did solve my problem.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-31-2017 05:58 AM

Anytime! Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2017 02:07 AM

Hi
did you tried

index=testeda_p groupID=sloc_data 
| stats values(sloc_date) AS sloc_date sum(sloc) as sumForCore by core

?
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

matansocher
Contributor
‎08-31-2017 02:14 AM

Just tried and still no result in the sumForCore field

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2017 02:24 AM

two stupid tests
index=testeda_p groupID=sloc_data
| stats sum(sloc) by core

index=testeda_p groupID=sloc_data
| stats count by core

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

matansocher
Contributor
‎08-31-2017 02:42 AM

the count works just fine but the sum return no value

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2017 02:50 AM

This means that sloc has a text format and you have to convert it in number.
try with 

index=testeda_p groupID=sloc_data 
| eval sloc=tonumber(sloc)
| stats values(sloc_date) AS sloc_date sum(sloc) as sumForCore by core

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

matansocher
Contributor
‎08-31-2017 03:25 AM

Still no results in sumForCore
count, min, max
only avg and sum doesn't

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2017 03:39 AM

yes: count min and max don't use numbers, infact if you verify 2 is greater that 15!
if you try index=_internal kb=* | head 100 | stats sum(kb) AS kb by host you can see that the method is correct.
you should verify format of sloc because there's some problem in format, maybe decimals.
try using 

index=testeda_p groupID=sloc_data 
| convert num(sloc) AS sloc2
| stats values(sloc_date) AS sloc_date sum(sloc2) as sumForCore by core

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

matansocher
Contributor
‎08-31-2017 03:57 AM

the last suggestion does not work either.
I will try to figure out the problem with the format
thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...