Hi,
I have created a table in splunk and 1 of the fields is numeric('sloc').
I would like to sum the values for each 'core'
I was trying to write something like:
index=testeda_p groupID=sloc_data
| table core sloc_date sloc
| stats sum(sloc) as sumForCore by core
But there are no results in the new field I created (sumForCore)
My result:
I have also tried:
| stats sum(tonumber(sloc)) as sumForCore by core
and nothing
what am I doing wrong?
Thanks
How are you getting yout sloc? Is it possible there are whitespaces (before and/or after)?
index=testeda_p groupID=sloc_data
| eval sloc=trim(sloc)
| stats sum(sloc) as sumForCore by core
Or extract only digits through rex (if you have decimal values your rex will change). Following rex is based on your sample data.
index=testeda_p groupID=sloc_data
| rex field=sloc "(?<sloc>\d+)"
| stats sum(sloc) as sumForCore by core
Please try out and confirm.
cmerriman, it didnt work for me. I think the problem was with the format of the numbers.
the trim function solve my problem.
do you ever have any null values is sloc?
try
index=testeda_p groupID=sloc_data
| table core sloc_date sloc
|fillnull sloc value=0
| stats sum(sloc) as sumForCore by core
if that doesn't work, add |eval sloc=tonumber(sloc)
before the fillnull
command.
How are you getting yout sloc? Is it possible there are whitespaces (before and/or after)?
index=testeda_p groupID=sloc_data
| eval sloc=trim(sloc)
| stats sum(sloc) as sumForCore by core
Or extract only digits through rex (if you have decimal values your rex will change). Following rex is based on your sample data.
index=testeda_p groupID=sloc_data
| rex field=sloc "(?<sloc>\d+)"
| stats sum(sloc) as sumForCore by core
Please try out and confirm.
Thank you!
The trim function did solve my problem.
Anytime! Glad it worked 🙂
Hi
did you tried
index=testeda_p groupID=sloc_data
| stats values(sloc_date) AS sloc_date sum(sloc) as sumForCore by core
?
Bye.
Giuseppe
Just tried and still no result in the sumForCore field
two stupid tests
index=testeda_p groupID=sloc_data
| stats sum(sloc) by core
index=testeda_p groupID=sloc_data
| stats count by core
Bye.
Giuseppe
the count works just fine but the sum return no value
This means that sloc has a text format and you have to convert it in number.
try with
index=testeda_p groupID=sloc_data
| eval sloc=tonumber(sloc)
| stats values(sloc_date) AS sloc_date sum(sloc) as sumForCore by core
Bye.
Giuseppe
Still no results in sumForCore
count, min, max
only avg and sum doesn't
yes: count min and max don't use numbers, infact if you verify 2 is greater that 15!
if you try index=_internal kb=* | head 100 | stats sum(kb) AS kb by host
you can see that the method is correct.
you should verify format of sloc because there's some problem in format, maybe decimals.
try using
index=testeda_p groupID=sloc_data
| convert num(sloc) AS sloc2
| stats values(sloc_date) AS sloc_date sum(sloc2) as sumForCore by core
Bye.
Giuseppe
the last suggestion does not work either.
I will try to figure out the problem with the format
thanks