Solved: Suming up fields only once based on field

Jimenez · ‎05-21-2025

Hi all,

I have the following situation with a query returning a table of this kind:

fieldA	fieldB
A	2
A	2
B	4
B	4

I need to add a column to this table that sums up fieldB only once per fieldA unique value, meaning a new column that sums 2+4 = 6

table would look like this:

fieldA	fieldB	sum_unique
A	2	6
A	2	6
B	4	6
B	4	6

I know that I have to use | eventstats sum() here but I am struggling how to define it has to be once per fieldA unique value.

Thanks in advance

Miguel

ITWhisperer · ‎05-21-2025

| appendpipe
    [| chart values(fieldB) as unique by fieldA]
| eventstats sum(unique) as sum_unique
| where isnull(unique)
| fields - unique

View solution in original post

kiran_panchavat · ‎05-21-2025

@Jimenez

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

ITWhisperer · ‎05-21-2025

| appendpipe
    [| chart values(fieldB) as unique by fieldA]
| eventstats sum(unique) as sum_unique
| where isnull(unique)
| fields - unique

Jimenez · ‎05-21-2025

Works great!. Thanks!

Suming up fields only once based on field

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation