Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Suming up fields only once based on field

Jimenez
Explorer
‎05-21-2025 01:04 AM

Hi all, 

I have the following situation with a query returning a table of this kind:

fieldAfieldB
A2
A2
B4
B4

 

I need to add a column to this table that sums up fieldB only once per fieldA unique value, meaning a new column that sums 2+4 = 6

table would look like this:

fieldAfieldBsum_unique
A26
A26
B46
B46

 

I know that I have to use | eventstats sum() here but I am struggling how to define it has to be once per fieldA unique value.

Thanks in advance

Miguel

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2025 01:21 AM 
| appendpipe
    [| chart values(fieldB) as unique by fieldA]
| eventstats sum(unique) as sum_unique
| where isnull(unique)
| fields - unique

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎05-21-2025 01:24 AM

@Jimenez 

kiran_panchavat_0-1747815864810.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2025 01:21 AM 
| appendpipe
    [| chart values(fieldB) as unique by fieldA]
| eventstats sum(unique) as sum_unique
| where isnull(unique)
| fields - unique
0 Karma
Reply
Solved! Jump to solution

Jimenez
Explorer
‎05-21-2025 01:26 AM

Works great!. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...